23542300x800000000000000017186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:46.363{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4689334E33D8C93B4847C34C4AFB3ED6,SHA256=7F886516B0627DCD35A21972ACFBCB978B34FD42F1DE85B9540F7EF9E48903F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:46.510{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78343FBAAE77AAA4D51A8B5DF643461D,SHA256=DE12E0857D41872DD0FB58793C9881FA3FF2AB3382B763F21668D16D3A0F925D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:47.543{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F9E793B3FBB388D4845559ED8AE3AE,SHA256=2078CA69FD9D5E4814874C09C34619F68EA779926E23C6F304BC2028601F35EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:47.368{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06B9C2440F72F5741E1AF2070D413CA,SHA256=4CE0BEAC7148974B4AF8AA8B251F2A1874D9D32E604EE4BF0A0EE35E41A5D971,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:43.499{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local57898- 23542300x800000000000000032385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:48.567{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF423EFF5D5EAD243A9DB329205F088B,SHA256=3AAF9B8A836DB4BA43F1598F56303A67FA6666B23F890DBBD701F716FE3149D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:48.399{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C18FE9E365C7F7C2E6193A587FD7058F,SHA256=8D82F61276C60B29B81EFF207B81D2591ED6B297803D1424084BEBAFB46667C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:43.684{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50983-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:49.415{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57AC016AF21CCDBB8A82322B4BC9C29,SHA256=5BE92E6B712A8704152451D04669F712924CA13D4D7ABDC8F3549827436EA63C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:49.602{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\respondent-20220308090810-064MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:49.602{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D511DCE4E41A22406671C47FC25EA6,SHA256=A1AF9C649A17BC98C5754D7335D9E56FA429B2F7911A3587EC94855D24629771,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:48.433{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50324-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:50.618{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CA735F62B1FFABEBDAD3D0FA0A95411,SHA256=65E1158953DCBDC6FC46E506C79FFDEB4EFBE878A96B86C5332C349FB6122DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:50.616{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77E55388F670B03C6E75AE1819C35755,SHA256=E92D843602FFB3E6CE3B2AF4CCC260532F4AB7A33C0360D1AFB223992E00855F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:50.615{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\surveyor-20220308090808-065MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:51.665{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD52BCA33996CB86A52C082B4778FF2,SHA256=56903C401431AFED3D3E7C83E09BE134A58AB6C93C6B00AC750C7E92F58B3408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:51.628{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B144EE55725EF92BBE199CBFF15D11A4,SHA256=5F10339CD73B0AFF450781D5393534F9CA717B779441354DAAFB3D17E290A005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:52.680{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70064B89E691BADA1CF33B1C4DD1AAA8,SHA256=696C5E0AFAA7708409BCAB33663354F9C0C65C8E65E89CC9FBC9E675F86C33AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:52.844{C64CDE3E-1CE6-6227-1000-000000003602}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=11B006DC101377CFAF2C3D1EDCD067AF,SHA256=061A868DD03FB73838E7E02F5F7A933D98A38385B76E43056F8D743DE32CC40C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:52.665{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4227716B1063E8C0D551C4A16BF91DB4,SHA256=ED3743DEDEDD0AE4CB0D5429AE3921DF523D4C0B6E7782E3EC674337B226C1BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:48.753{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50984-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:53.727{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCDA4363C2B59E1E79A7D000CF6931B2,SHA256=7289E357209ADA613471C2B579C30BF5447372A6A4AE3F1AEFE163ED94B2A3BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:53.680{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D535332FBEA0C538105FD789A58DC816,SHA256=2D1689BAD41101274F374F285F929ED359CEF62546A658448E34F08F48C52677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:54.743{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C3DB1F7F83A918D933B64983458CD6,SHA256=3C1374AC15004CE36899A931C446E8AFAF212EA5DFDFC61D9548ACC248D446D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:54.695{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE84999591CE266B7FBC19DFFF3C3563,SHA256=FF64634D410AC0970DAF68DC866173A9D620FD9A91EECD94B7FAD49408E95F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:55.758{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BCFBCE9B5D4781C0E30A75CAB25690E,SHA256=D6CA714449A3CE98962A9B0E45CA2B7537FBB9D954788D2B5CB5826ED3826050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:55.711{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B4E2598DD209AAA06C0DEA835785E0,SHA256=1EE9CA18AF3C4CE62C692E114AC4154422DE53078B254578B33023A9575D1B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:55.443{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:55.379{C64CDE3E-292B-6227-FA06-000000003602}4996ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\reg_sim.bat@2022-03-08_101434MD5=1E19D534A104405C176290CB78A9F41C,SHA256=DFE0262CFA910F339F46ADD3428CD263D925223169188DB8EB4172EE3AC2E007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:56.996{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\respondent-20220308092036-052MD5=AD989BA5FC8211C68DEB145594DF29B5,SHA256=A92C9E9F939B5FA1DAF2D9D45D4066E44A16133766F98754DF452EC8E38921ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:56.760{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC9AAF11644175C5C863A53B5CC99F7,SHA256=9A9806D0E7AFBA68E14455433D91EFA32BFC06BE0ADEB90C68323735FF74069E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:56.779{C64CDE3E-1CF7-6227-2B00-000000003602}2896NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:56.726{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=986B94B44C2076F2585BC07D710FAA27,SHA256=D9D941C6215D52674EB5E3F8013A1F26F90B420D2E0ECBD1C2F405B4DD08EE32,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:53.464{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50325-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:57.790{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB91F3C6BED6675065FF3E6373721B42,SHA256=C53C1446D11915C33D7E76C2260A1F4BEA3124A267BFE65594A0F2F18548CBDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:57.727{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF9957256C67F1ABB9235CE4488B9E5,SHA256=6BF0F50D1D7AA0E7A8ED6D33609C9AE4E9AAC2D4401979340316069CEB67E616,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:53.799{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50985-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:58.746{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A972A0666A0074EC9035E4CAE5D06072,SHA256=65B05F489FE3BA177B34934F808E584048D5C9B8011F6489F6995EDBE9F47DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:58.010{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\surveyor-20220308092033-053MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:59.763{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96CCAC15B4905AA2326B9FD2F27D130A,SHA256=35ED070AE5992FDDCC0597588B8E468344B6ED3B93602E4454E5DF7D96CFDC0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:59.024{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D676F6BB80B00B1546C8D7EC10E5C8,SHA256=E995C552693669CBA607F2E8F56D2293E3E7F2BEC9893B40C9DCD087670860B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:55.367{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50986-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000017203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:00.227{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208D595B4AF9F1D746E719027DBF3528,SHA256=54A903A1B51F02D69EC73055B2E1DDD50910B5D67FA364F82F7B3CC9EF3ECFC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:00.794{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF35BBC605D7D7BCE2BC23E70FBD219A,SHA256=5FD6EC266E41D93FFA495DD272B7E959E69B723C4AE2E68C832028091A4F2285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:01.809{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9D3EA4AA8886059626D0098DA9B75E,SHA256=51EEB9B5B8BA8AC1E39D3A852E444CEDDD670A6CB2613AE83E1BBAE0E72CBF32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:01.243{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=774CFD2026C566209CDA233248767351,SHA256=24F34B2FF37B49A29DF49626835A16621F75325634E14AE31201F0F80E744CDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:02.811{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5111FF3ABBFEE0887E0AE491A6CB68,SHA256=5308BC9A3CDC4C596D61726C20468624F40F39DCC347E1B9BE0DC544665DA35A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:02.259{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3EF25C485E1BCB17D12F297ED864D84,SHA256=209CF964523DA833A67F1A3749182CAEE8BB2A4B71C51EF1F844587F17A1E36E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:02.395{C64CDE3E-292B-6227-FA06-000000003602}4996ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\reg_sim.bat@2022-03-08_101434MD5=8F366F9F677889D18F9B69CC5F4BCC8A,SHA256=BEFA59E8A112D10304C18B163F6D289A2C1FA3BFDA315DCEB16880ABA69F5308,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:14:59.417{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50326-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:03.826{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A7007D87012A15D45C3F9CE72363CF,SHA256=0C728043397B179C9DCADDB19011109F65390D5B5ED0162956A367F3B110C809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:03.305{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409343B1195FFA9D1B6A3538601702AA,SHA256=EC91175D8290EB9599C90359B7DAAF610E8AE5C929008C14ADB2DF28768DB41A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:03.295{C64CDE3E-292B-6227-FA06-000000003602}4996ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\reg_sim.bat@2022-03-08_101434MD5=E332195D8BC167CE195E6AF0DD04C245,SHA256=D739DB732AC65FB243D788E98B93494F6B7408A4E6A6971557FB158CA100C3C7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000032412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:03.279{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exeC:\Temp\reg_sim.bat2022-03-08 10:08:33.213 23542300x800000000000000032411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:03.279{C64CDE3E-292B-6227-FA06-000000003602}4996ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\reg_sim.batMD5=9317991E7E62982FA04F6BC78530B5F2,SHA256=D32156CBEA60C7C173E58E9543C6D15BF7A128E8607C73E4E9B2DA57292C7D47,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:14:59.765{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50987-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:04.321{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD0A0EB960C962A72FE9FACFFB5A427,SHA256=3977002856FC8307E0CFCC970BD042F4E5A24DB9A941824AB6519597CF8C9A68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:04.848{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D72DABDBAC614141C402E42B101E3A6,SHA256=9BAB8D3EBB6756D7B4172F5C4A868F0FB0371749747B4B909A736CF7D0273A49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:05.864{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011C1365047FA911A9A4CC2DF43858E7,SHA256=8B8CE3D16516C8192F25DEDA5332F542BE4B863A92BD958424D70E1909BF9706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:05.321{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB7BF95DC41098427C1815A65B9F15C,SHA256=D0B071F9A02875C2184311E5EC9F9119C8F4D1A874B36C616C412986DD6C8294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:06.864{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B8C2B444421309B7E3603B930C1D2C,SHA256=5D18383B8FEF40B444C51F8E76A2B9B95DAF4C9F06DD843740A495022032C561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:06.352{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3FA289FED61C75B2610830CCFD3CCC,SHA256=1C46D50F91050974680DED7D83DD6FF0C398A21E081668C9C4460303D48C50E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:07.879{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9295B469A440CDE90826FDB4EB5AC932,SHA256=3303671014AA5DF71338D888127CEDB144AC97186E89D6495AAF4606ACB8073E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:04.495{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50327-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:07.355{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556482B940D4A9723933AF8AD58DDE78,SHA256=ABF3DB1C3C9E92E5EEDA7BDFDBBBFC1D6A01A921AD01045EDF10C260FEB53938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:08.894{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B40AD790455516E487A1579CFC82E48,SHA256=CA992EE0FEB1F907E6D2CBD3B5BF0637BEC45F5C9170731DE27404E172FCC418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:08.371{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9308188C9B20E94C0248DB174BE91A,SHA256=E02D5DCC1F35D36E65C5403B4AE0737EFD9A3EF4618ADE08E33E282DB24B4C95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:09.449{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78168CCCE189B8ED56FB9D17BDC2A9B5,SHA256=C6FFFB36DDE0A852183481269E6330AEE7D2F553D17013074C679C30BBA2780B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:09.914{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E38B8F51BA616B9EE59A9B638D4CCD8,SHA256=34D9A397CBF1F675D3D65A213F254322EB405D0E85F93D7AEBC89268A0A0414E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:05.699{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50988-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:10.668{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C092AAF38FF024729E90C125CCE25E,SHA256=B0E36E3BBEAA2020758989CF79A57CDC45D46CAB24FA69A0FAD011E9CA32D371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:10.931{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98A7D638C9FAA0A12D2A90264160B62,SHA256=C354E1318594F28BB58C6270732006669241F1666A5D66D8FC1FA54D572EC09C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:11.871{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D11E94D797EDBD11B81816A09969127E,SHA256=1CD426A7E7AC807877A084C620D6355C4A533040DCA7C848B467484F5BE7E393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:11.950{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4674048937ABA872CDFE4C931BDBE0D,SHA256=3416CCD64128D55575FB14F1523800A90A80211A03946B0E0D9ADE4CADDED759,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:12.984{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9481220680DC162E4280554A8AE5E3F2,SHA256=178C903C5CC6BA1A2112B2454553A7F37D33FB612CCF43D2CC384C93AD5DF7B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:10.326{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50328-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000032426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:12.399{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CE6-6227-1500-000000003602}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:12.399{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CE6-6227-1500-000000003602}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:12.399{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CE6-6227-1500-000000003602}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:13.043{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C93030BC2307FE9DFF01DA82C76452D,SHA256=9AC2E806F9A683FBAA6D716A310C7AA0C7F59858B15C2EC74CDD08983CD6511B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:13.415{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\aborted-session-pingMD5=69E1209F2F7EA451F9529140AB56B269,SHA256=468D2E6A051D8F1A40EA39B3E1CE9A79D76D4761F30409739C40AF73DAAB5347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:14.058{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=516A504D8EA2795A3AE346262E12792E,SHA256=033CDD0E13185395C4D94375476BF9EDD21C16179ABAB671169253DCA1048AA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:11.690{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50989-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:13.999{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A693E7E3D0D01277C7D15CA392BB4D88,SHA256=7E532222944FC6A55E3D09A986BBBE972D85F7893887384282646B6ED8211CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:15.074{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23354344BE157B3F9DA5A6EA2A8298EE,SHA256=33E8A72E224F6CBBF4B671EA6AC9B03D376FDA34EAF1ED0D2A0200F1C054CABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:15.000{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=064BC5D41B8ED5B4B1529F5095F3CDBC,SHA256=B5A799F93DF0F46AB7BFE4A708477D16ED83E0516778577FE6522D084E82021F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:16.152{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CAE5DF98197BE5D97F3B4B92FDF838A,SHA256=F96613918A12F277800DB7107DEEC75AD36D04B2087B86E26F9A201D96D3F753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:16.414{C64CDE3E-292B-6227-FA06-000000003602}4996ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=3222DCC7C838AAE7B1781FAAFE80C377,SHA256=CC61DE33BEB515E10C05F3E32ED52A7857154385F951A922654DD4193B5D04B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:16.015{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18933A34942CFB91B2D84B1F0E9B4082,SHA256=6DC3BE28CE365756E75FAD902B58C97E2D50E1BC7F62F06FF383AF989E228FAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:15.483{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50329-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:17.215{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAA656BA57F3EA98DC3A21DA6AB11BA4,SHA256=C4BBC3D3B6347EE3A7886B46891FB5498B8B9B9294F360D1D1B2BA694F5B653D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:17.030{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F685E85D9F773BED501C346C1495B0A,SHA256=1A6257C78372C1174F4F5B684D11A7469D72CC416D0B27460C8D08C5C57008B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:18.449{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861D5C041022F236426ADE5694E27EB6,SHA256=CDF028CED29582B2DFCF0B85B3A53950DA8B405C08EFDFFF5D332F52D9DE6DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:18.030{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0E232BC675D727C7A32FCBCF8C2321C,SHA256=D2C8814412A4D3046C3F0EF536BBF22CBD3FC781E2E688FF0BAC43340BF9D9F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:19.684{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B63F1BBF43477EA34863696A387938,SHA256=18643A5F2927E0B5B8C17807BAC86FA94E91BC390C6A1A2A1FE2C58900947A3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:16.732{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50990-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:19.032{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D4A1099402F61CDD78CA472F35AE9C5,SHA256=24223B54DC1775B06A2CCB093216DA1C85F6A12103C87C394E3ED97777CDBFC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:20.699{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=014254A410B2A83A993FDEF1C6043D61,SHA256=92233F7718937A29566D8CF49C6841A1DEEB27C3665CE0B1DDAC382ED3181346,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:20.501{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2CB8-6227-7C07-000000003602}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:20.501{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:20.501{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:20.501{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:20.501{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:20.501{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2CB8-6227-7C07-000000003602}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:20.501{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2CB8-6227-7C07-000000003602}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:20.502{C64CDE3E-2CB8-6227-7C07-000000003602}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:20.033{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6258F6CEAC4C334DA21F5AD0ADAD5F,SHA256=6866585AF5431A2A5A43DCB503BF20DDE79CDC312E814E7D5C55783AF7247C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:21.699{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519B69AF9C1F1827860D104C29E59081,SHA256=ECCC9EF691E732ADFF243CB298BDA56F2207E172B8B9D6356F177D30333ADB01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.517{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A105DE881AF49C2C349D671F62E7EDCC,SHA256=5E056C886335CA1EB9ADAEDD058151B913D2D03CB3977C64C5C13E91D7EC5BA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.517{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7620B58072FAD5D507BF06105D3E5F39,SHA256=4EF2E8DA239691D6CE823B8AA2F5D7FFEA4F7DA7EF9CA596EE1E676472550F86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.301{C64CDE3E-2CB9-6227-7D07-000000003602}46483544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.117{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2CB9-6227-7D07-000000003602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.117{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.117{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.117{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.117{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.117{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2CB9-6227-7D07-000000003602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.117{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2CB9-6227-7D07-000000003602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.119{C64CDE3E-2CB9-6227-7D07-000000003602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.053{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E4F49242A1A57D8023EDA38F8E8CDC,SHA256=B900D1B2EBDCBB7C5181BD9B278822A6E11709639C71A4591005A83173FB34B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:22.761{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57C827641C744EE41217A0FC3601640,SHA256=5C5A8DF823D98AE0BB9663376B6E3BB115C7D9577A5E7FE1BE3599956BCDD3EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.606{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2CBA-6227-7E07-000000003602}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.606{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.606{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.606{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.606{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2CBA-6227-7E07-000000003602}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.606{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.606{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2CBA-6227-7E07-000000003602}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.607{C64CDE3E-2CBA-6227-7E07-000000003602}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2D00-000000003602}3052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.269{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2D00-000000003602}3052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000032462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.116{C64CDE3E-292B-6227-FA06-000000003602}4996ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\reg_sim.bat@2022-03-08_101516MD5=CFDB76C7F3FE01B2084F98C394FBC90C,SHA256=2CBA73062228575319218C0ADC3E7523188CCFF173A7C9CF4BC2181CBA8577E5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000032461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.100{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exeC:\Temp\reg_sim.bat2022-03-08 10:08:33.213 23542300x800000000000000032460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.100{C64CDE3E-292B-6227-FA06-000000003602}4996ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\reg_sim.batMD5=E332195D8BC167CE195E6AF0DD04C245,SHA256=D739DB732AC65FB243D788E98B93494F6B7408A4E6A6971557FB158CA100C3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:22.069{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1CFCBFD2FB58278C5E82B44CCA981EB,SHA256=6E7645D662BCF164DA2277B50C2536E45F336D484EB6C79B43DF8426E1857208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:23.902{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E70F2C4648C18D34C40DD17B0AE4EE2,SHA256=04CDDCAE9B281742046D2302E97D63B59407D3CAC599B18DC08A7FCA2144CA41,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:21.436{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50330-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:23.606{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A105DE881AF49C2C349D671F62E7EDCC,SHA256=5E056C886335CA1EB9ADAEDD058151B913D2D03CB3977C64C5C13E91D7EC5BA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:23.575{C64CDE3E-2CBB-6227-7F07-000000003602}56246624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000032510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:23.421{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D0091DF85725C3CFC384589BF65B3D6,SHA256=27BA94052BAAE7653C7A420F4317CAD4C27271E992C7D548E26A1C678CB62B50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:23.375{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2CBB-6227-7F07-000000003602}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:23.375{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:23.375{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:23.375{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:23.375{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:23.375{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2CBB-6227-7F07-000000003602}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:23.375{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2CBB-6227-7F07-000000003602}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:23.375{C64CDE3E-2CBB-6227-7F07-000000003602}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:24.902{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2505C18CD2083F22A6B9BF09B8E2AC3F,SHA256=3BD50C71E72F1BEAAAC38FAF7B67ACCD9D1FA6FAD3D81203F98A75BE866D294B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.692{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local50991-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000032514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.692{C64CDE3E-1CF7-6227-2800-000000003602}2856C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local50991-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 23542300x800000000000000032513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:24.405{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA511D70DE91B469C8F5DF8935D824D,SHA256=F9017FF19A665C027C0FBD9DC205031B56993BD6406B3A36486D56789F82DFF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:25.933{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7849F8952850C7674FB85894CBB71F35,SHA256=45C70A756AE853E2A03BF6FFAB969D9BC4554709007CC012010B1A66A813AE8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:21.854{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50992-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:25.436{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=496A0B926921296EB5D33A3E7D3441F3,SHA256=678519B2EC9A060D603FC636CB35F2A5BA2B875E30B5E7AEECE601BECF5CB52B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:26.953{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC2FC331EA7B17156B55B6FD7616925,SHA256=0E3591D5292297994DE54B871E627ACB6CE23443C91F8032FB1AA50F1D7A83F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.937{C64CDE3E-2CBE-6227-8107-000000003602}45526424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.685{C64CDE3E-2013-6227-1602-000000003602}17405652C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.685{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.685{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.621{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2CBE-6227-8107-000000003602}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.621{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.621{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.621{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.621{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.621{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2CBE-6227-8107-000000003602}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.621{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2CBE-6227-8107-000000003602}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.622{C64CDE3E-2CBE-6227-8107-000000003602}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.437{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D928CDADD05CA1851701406E7BDA1921,SHA256=8DF1F7A47D231AC337C00328E1BADC13C24A71208E2D9A35DC0644627B3B694B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.374{C64CDE3E-2CBE-6227-8007-000000003602}28326488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.121{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2CBE-6227-8007-000000003602}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.121{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.121{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.121{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.121{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.121{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2CBE-6227-8007-000000003602}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.121{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2CBE-6227-8007-000000003602}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:26.122{C64CDE3E-2CBE-6227-8007-000000003602}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:27.953{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6983CB7F83B715ED1D5FB98F2C3A7918,SHA256=8EBC4833A1C536DA474C4B2D3EF1C57BD39F7D39C12C970FE250FEC1E55AB5E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.459{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C04BB00E583DE879E2CD77786BDDEEEC,SHA256=B5348BA9EFDA79A96167F682A3C8415BCA32C990D87F9068CEDEF6059095461B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.306{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2CBF-6227-8207-000000003602}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.306{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.306{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.306{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.306{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.306{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2CBF-6227-8207-000000003602}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.306{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2CBF-6227-8207-000000003602}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.307{C64CDE3E-2CBF-6227-8207-000000003602}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.126{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21E5B86234AF0D22F589E1A369A664C2,SHA256=9606F707E6A57C623F7FCB7FC9CB3A692566029BE55995297137EC204E1A916B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:28.953{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=481E036989A1A676E9C6296992320E66,SHA256=6EBA445DCB718BBD22A731E80BC02FA221A4DC38459669B0AF6891BA077AD9ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.727{C64CDE3E-1CE6-6227-1100-000000003602}4001588C:\Windows\system32\svchost.exe{C64CDE3E-2C51-6227-7207-000000003602}3844C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.639{C64CDE3E-2A1A-6227-1807-000000003602}12683920C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2A65-6227-3407-000000003602}7164C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2b990|C:\Program Files\Mozilla Firefox\xul.dll+e4023d|C:\Program Files\Mozilla Firefox\xul.dll+e3fcc8|C:\Program Files\Mozilla Firefox\xul.dll+847632|C:\Program Files\Mozilla Firefox\xul.dll+83b7f1|C:\Program Files\Mozilla Firefox\xul.dll+19e1dff|C:\Program Files\Mozilla Firefox\xul.dll+16bf299|C:\Program Files\Mozilla Firefox\xul.dll+1a0aae8|C:\Program Files\Mozilla Firefox\xul.dll+98ca3f|C:\Program Files\Mozilla Firefox\xul.dll+2461e|C:\Program Files\Mozilla Firefox\xul.dll+18b6c8|C:\Program Files\Mozilla Firefox\xul.dll+18a5bf|C:\Program Files\Mozilla Firefox\xul.dll+43f1071|C:\Program Files\Mozilla Firefox\xul.dll+445b70b|C:\Program Files\Mozilla Firefox\xul.dll+445c4f9|C:\Program Files\Mozilla Firefox\xul.dll+1fa5a63|C:\Program Files\Mozilla Firefox\firefox.exe+9e10|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.635{C64CDE3E-2A1A-6227-1807-000000003602}12683920C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2C51-6227-7207-000000003602}3844C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2b990|C:\Program Files\Mozilla Firefox\xul.dll+e4023d|C:\Program Files\Mozilla Firefox\xul.dll+e3a359|C:\Program Files\Mozilla Firefox\xul.dll+e3ad48|C:\Program Files\Mozilla Firefox\xul.dll+e291e1|C:\Program Files\Mozilla Firefox\xul.dll+42295e4|C:\Program Files\Mozilla Firefox\xul.dll+244e3d0|C:\Program Files\Mozilla Firefox\xul.dll+97f5ae|C:\Program Files\Mozilla Firefox\xul.dll+942851|C:\Program Files\Mozilla Firefox\xul.dll+18b9dd|C:\Program Files\Mozilla Firefox\xul.dll+982a97|C:\Program Files\Mozilla Firefox\xul.dll+4385786|C:\Program Files\Mozilla Firefox\xul.dll+94b7cf|C:\Program Files\Mozilla Firefox\xul.dll+94e4d1|C:\Program Files\Mozilla Firefox\xul.dll+94d2ae|C:\Program Files\Mozilla Firefox\xul.dll+94c631|C:\Program Files\Mozilla Firefox\xul.dll+956664|C:\Program Files\Mozilla Firefox\xul.dll+8984da|C:\Program Files\Mozilla Firefox\xul.dll+82d577|C:\Program Files\Mozilla Firefox\xul.dll+19e1dff|C:\Program Files\Mozilla Firefox\xul.dll+16bf299|C:\Program Files\Mozilla Firefox\xul.dll+1a0aae8 23542300x800000000000000032552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.531{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\formhistory.sqlite-journalMD5=8D0EBE12A0F16D3FE292A4FB91A098E0,SHA256=0DA5028350D08ED64B935526DDC8449B7C569EF59DE6ECCBAE268678476D1CE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.463{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A4F2AEC4BE06B7BEFAB8AF293953A3,SHA256=4723A3A534CE2F62848EA10A56E39644383CF1E4DB7B106C5C33A5181DD9D43B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.319{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4056AB865DAEA66FDB098AE7F5B80D2,SHA256=C07404689E40A33576F59164434D289A6EE31EAA0CF3EEA897FABD8B92EFCA08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:29.953{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33E779AF16DBB09FC3448B4B386CEB3A,SHA256=63675053664E84CB030BC2DF1228560153CDD91BCC99E225587A9FA9466F124A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.844{C64CDE3E-1CE6-6227-1100-000000003602}4001588C:\Windows\system32\svchost.exe{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.841{C64CDE3E-1CE6-6227-1100-000000003602}4001588C:\Windows\system32\svchost.exe{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.823{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.823{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000032605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.799{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85AB0DC76AB0A2F424493C1F1C43B8F2,SHA256=795F666251735340975B61CEF44E6182CD16B8EF9EA392A02B91DDB410D90682,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000032604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-ConnectPipe2022-03-08 10:15:29.787{C64CDE3E-2A1A-6227-1807-000000003602}1268\cubeb-pipe-1268-18C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000032603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-CreatePipe2022-03-08 10:15:29.787{C64CDE3E-2A1A-6227-1807-000000003602}1268\cubeb-pipe-1268-18C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000032602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.775{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.773{C64CDE3E-1CE6-6227-1600-000000003602}12961336C:\Windows\system32\svchost.exe{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000032600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-ConnectPipe2022-03-08 10:15:29.772{C64CDE3E-2A1D-6227-1907-000000003602}288\chrome.1268.54.53014384C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000032599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-CreatePipe2022-03-08 10:15:29.771{C64CDE3E-2A1A-6227-1807-000000003602}1268\chrome.1268.54.53014384C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000032598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.770{C64CDE3E-2A1A-6227-1807-000000003602}12686112C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a01f4f|C:\Program Files\Mozilla Firefox\xul.dll+1a007eb|C:\Program Files\Mozilla Firefox\xul.dll+12a45|C:\Program Files\Mozilla Firefox\xul.dll+98ca3f|C:\Program Files\Mozilla Firefox\xul.dll+12627|C:\Program Files\Mozilla Firefox\xul.dll+989c91|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1da48|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000032597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-ConnectPipe2022-03-08 10:15:29.769{C64CDE3E-2A1A-6227-1807-000000003602}1268\chrome.1268.53.61886314C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000032596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.764{C64CDE3E-2A1A-6227-1807-000000003602}12685064C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+12034b|C:\Program Files\Mozilla Firefox\xul.dll+120e94f|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1da48|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000032595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-ConnectPipe2022-03-08 10:15:29.761{C64CDE3E-2A1A-6227-1807-000000003602}1268\gecko-crash-server-pipe.1268C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000032594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.721{C64CDE3E-2A1A-6227-1807-000000003602}12683920C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2b990|C:\Program Files\Mozilla Firefox\xul.dll+e4023d|C:\Program Files\Mozilla Firefox\xul.dll+e3a359|C:\Program Files\Mozilla Firefox\xul.dll+e2b2a1|C:\Program Files\Mozilla Firefox\xul.dll+e39418|C:\Program Files\Mozilla Firefox\xul.dll+7cdb64|C:\Program Files\Mozilla Firefox\xul.dll+19e1dff|C:\Program Files\Mozilla Firefox\xul.dll+16bf299|C:\Program Files\Mozilla Firefox\xul.dll+1a0aae8|C:\Program Files\Mozilla Firefox\xul.dll+98ca3f|C:\Program Files\Mozilla Firefox\xul.dll+2461e|C:\Program Files\Mozilla Firefox\xul.dll+18b6c8|C:\Program Files\Mozilla Firefox\xul.dll+18a5bf|C:\Program Files\Mozilla Firefox\xul.dll+43f1071|C:\Program Files\Mozilla Firefox\xul.dll+445b70b|C:\Program Files\Mozilla Firefox\xul.dll+445c4f9|C:\Program Files\Mozilla Firefox\xul.dll+1fa5a63|C:\Program Files\Mozilla Firefox\firefox.exe+9e10|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.721{C64CDE3E-2A1A-6227-1807-000000003602}12686112C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9a1cff|C:\Program Files\Mozilla Firefox\xul.dll+7cdb64|C:\Program Files\Mozilla Firefox\xul.dll+1a003ff|C:\Program Files\Mozilla Firefox\xul.dll+12a45|C:\Program Files\Mozilla Firefox\xul.dll+98ca3f|C:\Program Files\Mozilla Firefox\xul.dll+12627|C:\Program Files\Mozilla Firefox\xul.dll+989c91|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1da48|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.712{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.712{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.712{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.712{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.712{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.712{C64CDE3E-2A1A-6227-1807-000000003602}12687036C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30dbd|C:\Program Files\Mozilla Firefox\firefox.exe+2ffe5|C:\Program Files\Mozilla Firefox\xul.dll+205d28a|C:\Program Files\Mozilla Firefox\xul.dll+99dcee|C:\Program Files\Mozilla Firefox\xul.dll+99beb5|C:\Program Files\Mozilla Firefox\xul.dll+9a2b2e|C:\Program Files\Mozilla Firefox\xul.dll+839abd|C:\Program Files\Mozilla Firefox\xul.dll+16c00dd|C:\Program Files\Mozilla Firefox\xul.dll+16a857b|C:\Program Files\Mozilla Firefox\xul.dll+98ca3f|C:\Program Files\Mozilla Firefox\xul.dll+2461e|C:\Program Files\Mozilla Firefox\xul.dll+83cb5b|C:\Program Files\Mozilla Firefox\nss3.dll+69cc|C:\Program Files\Mozilla Firefox\nss3.dll+8f2b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1da48|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.713{C64CDE3E-2CC1-6227-8307-000000003602}6972C:\Program Files\Mozilla Firefox\firefox.exe97.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1268.53.618863148\929732729" -childID 19 -isForBrowser -prefsHandle 3692 -prefMapHandle 8432 -prefsLen 14746 -prefMapSize 242229 -jsInitHandle 976 -jsInitLen 279340 -parentBuildID 20220304162637 -appDir "C:\Program Files\Mozilla Firefox\browser" - 1268 "\\.\pipe\gecko-crash-server-pipe.1268" 2428 290f034ee48 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412LowMD5=8EED02513FEE9651AB53BCE69398DDC0,SHA256=13266B71CCF68ACF0A7E954942FE2AEC9DE087BC7074D2D86E0FEB93820752FB,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000032585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.709{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.709{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.709{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.709{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.709{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.709{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.709{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.709{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.709{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.709{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.709{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.706{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.703{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.703{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000032559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-CreatePipe2022-03-08 10:15:29.694{C64CDE3E-2A1A-6227-1807-000000003602}1268\chrome.1268.53.61886314C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000032558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.116{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local56417- 354300x800000000000000032557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.112{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local56666- 23542300x800000000000000032556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.527{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D98E867BC508473449C7D7262E391921,SHA256=5EC8A044A1F43C38D0B45B334B492368F41743F3B91AF6E4245EA395436A0F6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:30.953{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3A91EE8B3C9CC3A4B7426D9763F7C0,SHA256=C1C53966103958606B31E076CB8C93832A052F28CA5AF57E5FC6A0392C96190D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.473{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51440- 354300x800000000000000032622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.459{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local55384- 354300x800000000000000032621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.413{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local54974- 354300x800000000000000032620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.410{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local52256- 23542300x800000000000000032619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:30.783{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73DA702BAFF11ACCF5F8000CCC886A5D,SHA256=C4941B0356F25CB189D43D499C97926AB0A8CBCC8B37DC0FB624A8E4619E4933,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:30.745{C64CDE3E-1CE6-6227-1100-000000003602}4001588C:\Windows\system32\svchost.exe{C64CDE3E-2C62-6227-7307-000000003602}3648C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000032617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-CreatePipe2022-03-08 10:15:30.645{C64CDE3E-2A1A-6227-1807-000000003602}1268\chrome.1268.56.185761324C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000032616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-CreatePipe2022-03-08 10:15:30.645{C64CDE3E-2A1A-6227-1807-000000003602}1268\chrome.1268.55.179398687C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000032615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.028{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local61021- 10341000x800000000000000032614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:30.624{C64CDE3E-2A1A-6227-1807-000000003602}12683920C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2C51-6227-7207-000000003602}3844C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2b990|C:\Program Files\Mozilla Firefox\xul.dll+e4023d|C:\Program Files\Mozilla Firefox\xul.dll+e3fcc8|C:\Program Files\Mozilla Firefox\xul.dll+847632|C:\Program Files\Mozilla Firefox\xul.dll+83b7f1|C:\Program Files\Mozilla Firefox\xul.dll+19e1dff|C:\Program Files\Mozilla Firefox\xul.dll+16bf299|C:\Program Files\Mozilla Firefox\xul.dll+1a0aae8|C:\Program Files\Mozilla Firefox\xul.dll+98ca3f|C:\Program Files\Mozilla Firefox\xul.dll+2461e|C:\Program Files\Mozilla Firefox\xul.dll+18b6c8|C:\Program Files\Mozilla Firefox\xul.dll+18a5bf|C:\Program Files\Mozilla Firefox\xul.dll+43f1071|C:\Program Files\Mozilla Firefox\xul.dll+445b70b|C:\Program Files\Mozilla Firefox\xul.dll+445c4f9|C:\Program Files\Mozilla Firefox\xul.dll+1fa5a63|C:\Program Files\Mozilla Firefox\firefox.exe+9e10|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:30.615{C64CDE3E-2A1A-6227-1807-000000003602}12683920C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2C62-6227-7307-000000003602}3648C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2b990|C:\Program Files\Mozilla Firefox\xul.dll+e4023d|C:\Program Files\Mozilla Firefox\xul.dll+e3a359|C:\Program Files\Mozilla Firefox\xul.dll+e3ad48|C:\Program Files\Mozilla Firefox\xul.dll+e291e1|C:\Program Files\Mozilla Firefox\xul.dll+42295e4|C:\Program Files\Mozilla Firefox\xul.dll+244e3d0|C:\Program Files\Mozilla Firefox\xul.dll+97f5ae|C:\Program Files\Mozilla Firefox\xul.dll+942851|C:\Program Files\Mozilla Firefox\xul.dll+18b9dd|C:\Program Files\Mozilla Firefox\xul.dll+982a97|C:\Program Files\Mozilla Firefox\xul.dll+94b7cf|C:\Program Files\Mozilla Firefox\xul.dll+94e4d1|C:\Program Files\Mozilla Firefox\xul.dll+94d2ae|C:\Program Files\Mozilla Firefox\xul.dll+94c631|C:\Program Files\Mozilla Firefox\xul.dll+956664|C:\Program Files\Mozilla Firefox\xul.dll+8984da|C:\Program Files\Mozilla Firefox\xul.dll+82d577|C:\Program Files\Mozilla Firefox\xul.dll+19e1dff|C:\Program Files\Mozilla Firefox\xul.dll+16bf299|C:\Program Files\Mozilla Firefox\xul.dll+1a0aae8|C:\Program Files\Mozilla Firefox\xul.dll+98ca3f 23542300x800000000000000032612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:30.536{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7959AA244E9F25F6FDEC385AA13D2A8,SHA256=F1FE6B3D9E19BCA752C1E7E332348CA1BB0E13E7387E78588AA2FE6C0067D112,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:27.299{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50331-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:30.442{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\permissions.sqlite-journalMD5=06234356CCCD50A1B0359A6D8FDA5FCA,SHA256=8A8F747CA0C6CA804A32B3BEEBE5323E5884AF0F9722E59964D47FE23A0166B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.697{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50993-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:31.968{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4360FCA8EEE3A1668CE4A0CDD4E6E196,SHA256=89E8C02D3C5DAC4D29CECFCC115F0AAA9FCC18CB5903E57F7E2286E300BCF906,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.316{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local61011- 23542300x800000000000000032679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.847{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6B47357B130724D3B2A3BCD1C2ADCF,SHA256=4566D366879BDD20900658F48A32411593FA3E95CD727C84A6B995CD8157ABA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.726{C64CDE3E-1CE6-6227-1100-000000003602}4001588C:\Windows\system32\svchost.exe{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.726{C64CDE3E-1CE6-6227-1100-000000003602}4001588C:\Windows\system32\svchost.exe{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.711{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.711{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000032674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-ConnectPipe2022-03-08 10:15:31.693{C64CDE3E-2A1A-6227-1807-000000003602}1268\cubeb-pipe-1268-19C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000032673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-CreatePipe2022-03-08 10:15:31.693{C64CDE3E-2A1A-6227-1807-000000003602}1268\cubeb-pipe-1268-19C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000032672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.678{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.678{C64CDE3E-1CE6-6227-1600-000000003602}12961336C:\Windows\system32\svchost.exe{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000032670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-ConnectPipe2022-03-08 10:15:31.675{C64CDE3E-2A1D-6227-1907-000000003602}288\chrome.1268.58.74734499C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000032669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-CreatePipe2022-03-08 10:15:31.675{C64CDE3E-2A1A-6227-1807-000000003602}1268\chrome.1268.58.74734499C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000032668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.675{C64CDE3E-2A1A-6227-1807-000000003602}12686112C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a01f4f|C:\Program Files\Mozilla Firefox\xul.dll+1a007eb|C:\Program Files\Mozilla Firefox\xul.dll+12a45|C:\Program Files\Mozilla Firefox\xul.dll+98ca3f|C:\Program Files\Mozilla Firefox\xul.dll+12627|C:\Program Files\Mozilla Firefox\xul.dll+989c91|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1da48|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000032667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-ConnectPipe2022-03-08 10:15:31.675{C64CDE3E-2A1A-6227-1807-000000003602}1268\chrome.1268.57.201083622C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000032666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.668{C64CDE3E-2A1A-6227-1807-000000003602}12685064C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+12034b|C:\Program Files\Mozilla Firefox\xul.dll+120e94f|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1da48|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000032665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-ConnectPipe2022-03-08 10:15:31.668{C64CDE3E-2A1A-6227-1807-000000003602}1268\gecko-crash-server-pipe.1268C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000032664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.638{C64CDE3E-2A1A-6227-1807-000000003602}12683920C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2b990|C:\Program Files\Mozilla Firefox\xul.dll+e4023d|C:\Program Files\Mozilla Firefox\xul.dll+e3a359|C:\Program Files\Mozilla Firefox\xul.dll+e2b2a1|C:\Program Files\Mozilla Firefox\xul.dll+e39418|C:\Program Files\Mozilla Firefox\xul.dll+7cdb64|C:\Program Files\Mozilla Firefox\xul.dll+19e1dff|C:\Program Files\Mozilla Firefox\xul.dll+19e0813|C:\Program Files\Mozilla Firefox\xul.dll+16bf7aa|C:\Program Files\Mozilla Firefox\xul.dll+1a0ab5a|C:\Program Files\Mozilla Firefox\xul.dll+98ca3f|C:\Program Files\Mozilla Firefox\xul.dll+2461e|C:\Program Files\Mozilla Firefox\xul.dll+18b6c8|C:\Program Files\Mozilla Firefox\xul.dll+18a5bf|C:\Program Files\Mozilla Firefox\xul.dll+43f1071|C:\Program Files\Mozilla Firefox\xul.dll+445b70b|C:\Program Files\Mozilla Firefox\xul.dll+445c4f9|C:\Program Files\Mozilla Firefox\xul.dll+1fa5a63|C:\Program Files\Mozilla Firefox\firefox.exe+9e10|C:\Program Files\Mozilla Firefox\firefox.exe+1ca68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.638{C64CDE3E-2A1A-6227-1807-000000003602}12686112C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9a1cff|C:\Program Files\Mozilla Firefox\xul.dll+7cdb64|C:\Program Files\Mozilla Firefox\xul.dll+1a003ff|C:\Program Files\Mozilla Firefox\xul.dll+12a45|C:\Program Files\Mozilla Firefox\xul.dll+98ca3f|C:\Program Files\Mozilla Firefox\xul.dll+12627|C:\Program Files\Mozilla Firefox\xul.dll+989c91|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1da48|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.632{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.632{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.632{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.632{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.632{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.632{C64CDE3E-2A1A-6227-1807-000000003602}12687036C:\Program Files\Mozilla Firefox\firefox.exe{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+30dbd|C:\Program Files\Mozilla Firefox\firefox.exe+2ffe5|C:\Program Files\Mozilla Firefox\xul.dll+205d28a|C:\Program Files\Mozilla Firefox\xul.dll+99dcee|C:\Program Files\Mozilla Firefox\xul.dll+99beb5|C:\Program Files\Mozilla Firefox\xul.dll+9a2b2e|C:\Program Files\Mozilla Firefox\xul.dll+839abd|C:\Program Files\Mozilla Firefox\xul.dll+16c00dd|C:\Program Files\Mozilla Firefox\xul.dll+16a857b|C:\Program Files\Mozilla Firefox\xul.dll+98ca3f|C:\Program Files\Mozilla Firefox\xul.dll+2461e|C:\Program Files\Mozilla Firefox\xul.dll+83cb5b|C:\Program Files\Mozilla Firefox\nss3.dll+69cc|C:\Program Files\Mozilla Firefox\nss3.dll+8f2b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1da48|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.632{C64CDE3E-2CC3-6227-8407-000000003602}3148C:\Program Files\Mozilla Firefox\firefox.exe97.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1268.57.2010836220\754842533" -childID 20 -isForBrowser -prefsHandle 8084 -prefMapHandle 8156 -prefsLen 14746 -prefMapSize 242229 -jsInitHandle 976 -jsInitLen 279340 -parentBuildID 20220304162637 -appDir "C:\Program Files\Mozilla Firefox\browser" - 1268 "\\.\pipe\gecko-crash-server-pipe.1268" 7860 290eedb8b48 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412LowMD5=8EED02513FEE9651AB53BCE69398DDC0,SHA256=13266B71CCF68ACF0A7E954942FE2AEC9DE087BC7074D2D86E0FEB93820752FB,IMPHASH=FAFFE564A2DAFFCCC4A6BE71D34C1748{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 354300x800000000000000032655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.156{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50994-false45.89.69.168cpanel12.coopertino.ru80http 10341000x800000000000000032654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.629{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.626{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000032628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-CreatePipe2022-03-08 10:15:31.620{C64CDE3E-2A1A-6227-1807-000000003602}1268\chrome.1268.57.201083622C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000032627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:31.553{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA6BDEA0ADD5953142ECBF9760C2E3DF,SHA256=2F1795B3648B8D84EB997068A1BBFA0B931CA8A4FE5EC3359EA2F39E38F938AC,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000032626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.476{C64CDE3E-2A1A-6227-1807-000000003602}1268adservice.google.de0type: 5 pagead46.l.doubleclick.net;::ffff:216.58.212.130;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000032625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:28.033{C64CDE3E-2A1A-6227-1807-000000003602}1268plus.l.google.com02a00:1450:4001:803::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000032624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:27.933{C64CDE3E-2A1A-6227-1807-000000003602}1268nodispappearancepage.9002-C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000017240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:32.968{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E736604CCE7B4C30EEDE8E24A3E690D,SHA256=EA30EF15C99550B838C0532BB3D9632461A8A7608E58AB36CD85DC0597134598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:32.670{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2248910C756FF444914872C2A80D943E,SHA256=90A74A07A6935FCE90AA30AB573442CBF6EC6BC5BFB7A34F69FAC76FEF151AB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:29.351{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50995-false87.250.251.119mc.yandex.ru80http 23542300x800000000000000032681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:32.570{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=339E8B12BD32AFE040CF96121E77F6D1,SHA256=414813B43FCCB6D0B5CA6300D5B4FB54F461FAC9896DA33410900A10AD4C1ED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:33.574{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D832F1EDC97763E350AF1AE99ED8210B,SHA256=87209633F6A47DBCB18393299E96EB573FA9FC9F371572DDA83FD2E73FE2F01B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017268Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2CC5-6227-3C05-000000003702}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017267Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017266Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017265Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017264Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017263Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017262Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017261Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017260Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017259Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017258Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2CC5-6227-3C05-000000003702}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017257Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2CC5-6227-3C05-000000003702}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017256Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.547{DCBFC465-2CC5-6227-3C05-000000003702}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017255Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.500{DCBFC465-1FE0-6227-1200-000000003702}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1DCB9E6FC8E42F6F4DE3C5AC63571A41,SHA256=CD29B4842BA2DC7CC9834F96D1C5722D61D685F374EE3F295D1B9A4BE1FDE922,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017254Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.297{DCBFC465-2CC5-6227-3B05-000000003702}39083524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017253Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2CC5-6227-3B05-000000003702}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017252Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017251Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017250Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017249Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017248Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017247Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017246Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017245Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2CC5-6227-3B05-000000003702}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2CC5-6227-3B05-000000003702}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:33.047{DCBFC465-2CC5-6227-3B05-000000003702}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:33.510{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qh3soqs3.default-release\cache2\doomed\6279MD5=61805A1CA2F41B4384A3B007E3D5391E,SHA256=FDF9433504A40C3FB693859A6C011F26BFD23F6E6E0D1DB5BF7D4BAC1E541062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:33.510{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qh3soqs3.default-release\cache2\doomed\20317MD5=F6D710BF9451F30031446AF9A25EE30A,SHA256=6DF4CCF72A9CE1B8DCF2DAE0063A0793D5ECADC19872872349E8B914DDBBD5EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:34.618{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB1366DB808069F8DB38AB31920D45DA,SHA256=7914B8F6103CD4B21564E0EE43648F1936F0357C8E422CDAE1BE4F638F5A33AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017272Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:34.375{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC5DA42DF8D4E401D78C3D81F1CBE8A7,SHA256=FF9FCB0F9D272B37E5F6F80B6776D2A7F8D42668AC4CF285F45DBBE2EA1A56D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017271Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:34.375{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63E764FC4F5E3061D0373374989A3E53,SHA256=0063BD62CCC3379A6EA2907DA1EAA35508823D5AAD783258B0D6A8C3F7E53C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017270Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:34.375{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61585D4ADA5813683983A15EEE1E1828,SHA256=5D9DA7DB5B365F0E70A6D9B7556593EE9860F3AAEB5B9FC9DAE9F025A809964C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017269Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:32.361{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50332-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:34.391{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\webappsstore.sqlite-walMD5=C9167D921095CDDE82FD7E8E25F0B398,SHA256=7796199B38571A7625FF3AE51CA43321B0F438276F2F508E86287B8DED03D495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:34.388{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\webappsstore.sqlite-shmMD5=5F28735FEB9621541AB9AF49F8C90ED9,SHA256=7F02F8BC22C86D51BE638AAE3BF1477F3F69B0A9D09E3D56ACB1DD0CD5BFD82D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:34.385{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=88311F2ABDF57DE8FA129BEA6C5C4906,SHA256=AF86F9CBEC0E918A23FDD7498383A389778D2178D48CDD5EE130D50D64A81ED0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:34.371{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\storage\default\https+++www.google.com\ls\usageMD5=C79689CFAAE446D53027F2869DD44ECD,SHA256=FFD2148734E3E67E2EA935AA8D62E80E28B842F2A5D21B6D1C01D7A8F80FD12F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:35.917{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\webappsstore.sqlite-walMD5=4733729183F32586C7C6347327D900EB,SHA256=AC15738EBE663F439B616064907EBB9925288684E488715B367C1345DEE7A4F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:35.917{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\webappsstore.sqlite-shmMD5=1A6A5BBCF3C9834640106C6C7BDC3D5F,SHA256=527E97F93C9EF1D69ADFDC9BA63673A1D5CCFA9BFCF2631FB4D98030F730CD09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:35.914{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\storage\default\http+++systemmanager.ru\ls\data.sqlite-journalMD5=DCCEC7FD73B6EEE4A6D9E6013484714F,SHA256=196489359745A758D40D1E2AF9F859B985DAB8EC0064498A7AEE040B7901B754,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:32.754{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50996-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:35.902{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\storage\default\http+++systemmanager.ru\ls\usageMD5=C3C829AF6098150F438278D08EE93107,SHA256=79E1E72B72EBD9366746CC9C2A4852CB7EE2B4C7C626D1D800A1143ED24797FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:35.622{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=728484FDDBC9EFE02CAA7048561D2A61,SHA256=FF2018127FD37BA876728FAD5CFC250F259BA794F17354699B83347827ED186E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017301Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.938{DCBFC465-2CC7-6227-3E05-000000003702}10921784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017300Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.703{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2CC7-6227-3E05-000000003702}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017299Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017298Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017297Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017296Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017295Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017294Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017293Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017292Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017291Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017290Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.703{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2CC7-6227-3E05-000000003702}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017289Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.703{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2CC7-6227-3E05-000000003702}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017288Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.704{DCBFC465-2CC7-6227-3E05-000000003702}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017287Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.408{DCBFC465-2CC7-6227-3D05-000000003702}40763896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017286Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2CC7-6227-3D05-000000003702}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017285Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017284Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017283Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017282Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017281Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017280Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017279Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017278Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017277Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2CC7-6227-3D05-000000003702}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017276Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017275Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2CC7-6227-3D05-000000003702}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017274Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.203{DCBFC465-2CC7-6227-3D05-000000003702}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017273Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:35.172{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D773E91D5066251FAFE1A8EFED82146,SHA256=E9BF8BFE1371794F3AD2EB73795F4CDF60948E30E0B9B73A2D5262C826654D50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:35.446{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\glean\db\data.safe.binMD5=3D0B69B3BBB45DF96AA8CF5E301BE955,SHA256=F31497DF8EE9F021FED17C60ADAA8A1FE95B4EE41E440C6121ACF9FD5D396AEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017329Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2CC8-6227-4005-000000003702}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017328Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=130D3FC5E3570469BB71B410FE93D97C,SHA256=1F9E7E952D9BC2F95FEF30BFDADE993DD5B627776CC91CBF305F6545F125FF02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017327Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017326Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017325Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017324Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017323Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017322Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017321Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017320Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017319Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017318Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2CC8-6227-4005-000000003702}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017317Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.703{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2CC8-6227-4005-000000003702}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017316Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.704{DCBFC465-2CC8-6227-4005-000000003702}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:36.633{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D5CE75C14CD20E76EE50BB19F35CE5B,SHA256=6B990B61F8F724BEA9BD8D8BC93B4DDE189AF4DAD247766CE50C4354FCA701F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017315Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.281{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC5DA42DF8D4E401D78C3D81F1CBE8A7,SHA256=FF9FCB0F9D272B37E5F6F80B6776D2A7F8D42668AC4CF285F45DBBE2EA1A56D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017314Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.203{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2CC8-6227-3F05-000000003702}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017313Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017312Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017311Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017309Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017308Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017307Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017306Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017305Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.203{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2CC8-6227-3F05-000000003702}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017304Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.203{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017303Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.203{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2CC8-6227-3F05-000000003702}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017302Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.204{DCBFC465-2CC8-6227-3F05-000000003702}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017332Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:37.832{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0AF6D502A28EBCF60D1C126A4C541BC,SHA256=11542BF5AF86229B669E557E7AD4C2D2CB8B709B5C7E18996A0C8A78BC5C6C6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017331Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:37.723{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C5924704BCA9CC2BC8989BCFA5F9DE9,SHA256=25835C1FDD6509F014527CE6495927D843E0AA289A23F93D87FF4E9917164CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:37.638{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D226DC4AE5FFFB299FBFBC229B238933,SHA256=273D48BC64CF36A94448EFCCF42C75A5C95BB7F25A525CE5FBB995739BE5106E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017330Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:37.015{DCBFC465-2CC8-6227-4005-000000003702}4048356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017346Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.739{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05825AAC8A696EA30EAA2FCF4A7DBA0D,SHA256=8632B3A318D3DC5FC2A983B3158AF2E1D53FDCBBA2989057C05158A96B960224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:38.661{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE61C1F65C05E864B0C693FCA9C10A1F,SHA256=0ADBD893F477D2146C1B0D4CDD7484FB25E1589D408507B39F84621266426DBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017345Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2CCA-6227-4105-000000003702}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017344Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017343Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017342Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017341Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017340Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017339Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017338Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017337Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017336Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017335Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2CCA-6227-4105-000000003702}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017334Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2CCA-6227-4105-000000003702}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017333Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:38.161{DCBFC465-2CCA-6227-4105-000000003702}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:38.406{C64CDE3E-2013-6227-1602-000000003602}17405652C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:38.406{C64CDE3E-2013-6227-1602-000000003602}17405652C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:38.406{C64CDE3E-2013-6227-1602-000000003602}17405652C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:38.400{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:38.400{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:38.400{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:38.400{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017350Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:39.786{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF878E28617AF90ECEF8634F7E7A92C,SHA256=2E48B6675B5DB4414B94AD0AED5DFCD767963EEAE856923EAEDDB7F728B4D5C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:39.812{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E075C36694C6968FA874C17503331BA7,SHA256=BD6DE966B6CC09528B6B54F3867733F706B392C26884E05AE98F8954CBF6F8D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017349Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.785{DCBFC465-1FE4-6227-3C00-000000003702}3064C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50334-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x800000000000000017348Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:36.783{DCBFC465-1FE4-6227-3C00-000000003702}3064C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50333-false169.254.169.254instance-data.eu-central-1.compute.internal80http 23542300x800000000000000017347Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:39.161{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8F89F09E8368183C6A7E8A4D33A016A,SHA256=67341BBC7054D7F895EC18F17F51BE4674539BD0C5D25668F95E00A454A8B4D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017352Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:40.832{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7092AEB003ACC0B97F067CCCDC7125E,SHA256=DCC609EF237711D01324678FD8067881DB79066781F55DEA0C242348A980E9C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:37.831{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50997-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:40.827{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD641C07B7761D2820AE9C64FB407A46,SHA256=4967F1DDEE1844A9B30F187FCE7DA4965B800F7508B3EDE3CF2CC34D2D3BEE4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017351Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:37.507{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50335-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017353Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:41.880{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C570107DE87402C63F257023D1E016F,SHA256=4F3720B410DFFAC1B7107E753FE4E42C0AA1CD961B59E2B47D32E69594CED8AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:41.834{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82DA7AE130B4F4C6645D20C67079E2EF,SHA256=EF6DF82E65AD95973103729CB15167EDE47E35E02DCA05FC62070A118992E0CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017354Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:42.880{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47254D4C15259947D20582461169A77D,SHA256=A34D55B55B625FC9E6B930535DC14BDF8F5939260D247B0003D1186202F4DED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:42.911{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE34CA6719C68379F99A0F76C42A9555,SHA256=D8E6D9B5A3891274DF399034CD2BCD3D63BE8A433EFB536B949DA41A0F37D788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017355Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:43.911{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA681463B0E67AEE40CED5AB3D289B9,SHA256=86F241E8FCE67F72E5CE9FEE6E172BBA5A09A34E6E0870ED434429606AA9A608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:43.969{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB9F15D3EDD5377D6B4310D0A27D159,SHA256=F726AFBE662DE5456280AC10A44F059410209FCE54A3AA1F7BEE0DA9AD3404D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:43.903{C64CDE3E-1CE6-6227-0D00-000000003602}8841404C:\Windows\system32\svchost.exe{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017356Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:44.098{DCBFC465-204C-6227-9900-000000003702}3048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017358Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:43.335{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50336-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000017357Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:45.067{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A46D24A2D5207CCD7DC0FDBF6543E20,SHA256=5867B2150D77105F5AF337AB3972DBDECEFAEB21930316987E62486A73EDEC8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:45.036{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27D8E0A7BA50C31951C335B71AC687E,SHA256=421A1BEEE8EC65D92C1A90CABF1E8EE4D25842A07DD82263FB0034B7B88DC7E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017360Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:43.460{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50337-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017359Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:46.067{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E53406C48F0B9DFD52244B84707814,SHA256=91B474F89204F1BE2D1AC1D5F7956392C10A10FC69D0685CD72CDB90191B08D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:43.683{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50998-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:46.040{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266FBDB62AB5E50F34EB598F0B89AB38,SHA256=E22D23D5E3F40C48D6BD88F1770A824D18D9A7133E25949C7C75E5E48BEA0DD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017361Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:47.074{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C690987CDF43D771DA77259A44CA6357,SHA256=566A657B4FC86EC5543C2356BEE329E957CE80E97DF19E67035042B9D49BE089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:47.044{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA54DA368CF6E9B22FBA9BB549EE374D,SHA256=ED05335D85C33EC2A58D990CC6AAA66AF6CF6F1C6A18036FD80F0714E45E3A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017362Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:48.074{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8AD666A401C70BF7A1215044E341AF,SHA256=1F1195580ACF5CDF9413875FA1C7A71D32AE326C8C62A1010AA361AAD6772D68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:48.045{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D522F20018E79A66F646BAE59FE55865,SHA256=E941091D1EF09F5065A1EA498D0A4C3D6F9311E418BFDDD84A84ECB9E27EF9BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017363Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:49.074{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3BB5F9769C1507639C2A588D7E63E1D,SHA256=C562514D386603B889A1EC1B15BD3049409DA2A173636A1FA3BC63E23DFFEC54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:49.105{C64CDE3E-2011-6227-0B02-000000003602}6005036C:\Windows\system32\taskhostw.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000032721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:49.050{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407D2A58607F4FE6C8DEE1BBA9BD8598,SHA256=771E65C913A88E185DC419FAA1383B463F2480E0F23204CCED348A2700A23789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017364Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:50.074{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E795CFEA2766744A7170C9D16C786804,SHA256=0AE8ED04A2BB1EFBD5A890A1E59D50E404050CE36FD2C96D5278EDE9B90D2B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:50.925{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\webappsstore.sqlite-walMD5=251419ED6CEDF3BDA3C23E3F323AA48A,SHA256=9B1844082D2B1557426C1628F8CE55A3F0CC3E9C30C5E0E8EAFA113A2D71D4B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:50.922{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\webappsstore.sqlite-shmMD5=7BD44964D54E81A2F676B51166975DB4,SHA256=988B97BA013B6423068F6A84B0B9447052518DD74D793817FE4E562C4DA6A375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:50.919{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\storage\default\http+++systemmanager.ru\ls\data.sqlite-journalMD5=25DAA2CB5BD939B5CFB8EB2A199A578A,SHA256=21B790734B264A9BD692EB18C387DC9FD2DEFECC9915B60C81DD13CE9844816E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:50.904{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\storage\default\http+++systemmanager.ru\ls\usageMD5=C3C829AF6098150F438278D08EE93107,SHA256=79E1E72B72EBD9366746CC9C2A4852CB7EE2B4C7C626D1D800A1143ED24797FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:50.060{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F94C100E8986623A764E3EB7275191C,SHA256=640397B9E5E70B79E26834B1AE984FA8327DF37BE7382DC051649F19017C9BD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017366Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:49.389{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50338-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017365Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:51.090{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8C7E154A7535371610CD0750348FC6,SHA256=B5C40DD0D621DDE85BFA5E74BC607AB7A7E0EC508CC6C112CE1E4EEBC03FC2F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:51.144{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B460E3596F4792621C1F27C77145D6,SHA256=AF2E973A7B89FB527E9428336C0C0F921D187CA4CA9A0018D70AB91C9B9CD47B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:51.141{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\respondent-20220308090810-065MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017367Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:52.121{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74A6490576F7D2600283ADF6242B857A,SHA256=03DDC0E1FB25A0D6F2EF7D5C995818199DCF6131FDA36FD896547FBC7B8FE10B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:52.849{C64CDE3E-1CE6-6227-1000-000000003602}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8B3F828540C59867C83EE36037F91F17,SHA256=BCB652DCDBB36943B012DD694189526F82F9F3B36316B4B30E9105BEF000DC4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:52.147{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=936F1C38B0FE4981B5BAE72A8B1DE52C,SHA256=A0294D0862E2494A10F019734EF754FC431C53AA30DD6594854ECC7E43DCC4DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:52.141{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\surveyor-20220308090808-066MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:48.809{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50999-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017368Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:53.340{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1322906752EA2029AFE77EC86BE2039,SHA256=E1F2EC8D77068828B923EA71FA73F224A9D6F6011AC76A121A0F9F2808B02F16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:53.153{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=603507B28FFF4FC24DECB134F61B4ECE,SHA256=DCA2268025EB72CE8918F21A36209A9B6FB1C0BF3BAFECB5E37B30000A224716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017369Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:54.355{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED49656D6DF3C075F1E9E53F545B07B,SHA256=F0C2F3AA9428E1DE0500AEDBEBC0E25A27654AADAF4CB4BC1F6EF2B87C357DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:54.222{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6DEC1A8685A2EF6A84CD1F16ACAC86,SHA256=32F0CAB61697A3A5DC81AA54A954F9579E0D858512FA51DF89BF12AE0BCBA8D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017370Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:55.605{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC5F3D0D7B46A23750B26A975E39589,SHA256=D7186E97E6FA151BDBFC96785D1AEE60896BC74C24903D8E9A918D447B9B5F55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:55.292{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C7E40429B70BF27FC87A810BDF2D84,SHA256=9C256949945427DB6A4E84C088FD91C6AFEB1F512B2DB22242AF5A0ACC9FE166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017371Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:56.777{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=633E281151852DFB494CC6B3EB92E2A1,SHA256=47809ABCF2BDFE2539354B2650442FDDB89714A540CD53036AA928781192948A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:56.805{C64CDE3E-1CF7-6227-2B00-000000003602}2896NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:56.306{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB27A3A716F05B0B2B2F9311847CC9FA,SHA256=3DE60F037D67D469BE7212C00A00219BFB826AE9CE2B19EADABB4DFD85E33A97,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017373Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:55.295{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50339-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017372Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:57.856{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7195D87850A630BE0A702819146127,SHA256=2D000E4E62B31EE92B60CDD185301372C65D4DC7EF029E32CBD92FFA1A9CB693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:57.311{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF232BC1F9F98E8096F6D64D738D1D04,SHA256=B0CFAA965B008F7BBC4E740037BABA2E630C9442FE4D5C577291C71A01C8034C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:58.316{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E13F4CA4930F4936123B437B145DDEDD,SHA256=B2E689A0D54C41F0C599BDAD573688E6479F84D0FFA536CDF14F9312CB870E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017374Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:58.532{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\respondent-20220308092036-053MD5=AD989BA5FC8211C68DEB145594DF29B5,SHA256=A92C9E9F939B5FA1DAF2D9D45D4066E44A16133766F98754DF452EC8E38921ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:54.716{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51000-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017376Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:59.532{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\surveyor-20220308092033-054MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017375Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:15:59.093{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F75453842476FF193A3286EFB275002,SHA256=EAB78D591812D4E1C98CCFEA11EC20354FE54F1685E533641BD21106C506534D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:59.323{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5999699DA6FD9A55B30B7DC85AEE5E9C,SHA256=779AD9443CEEF67462F65A096CAF3AE30F4084E9B9202CB3B2BE153CAADC79E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:15:55.385{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51001-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000017377Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:00.155{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B014049D558B83A9810129677E8AB3,SHA256=C68AE02B3E3878EA36C21EFD1EA0359B5171B8D20B634A7703AD4B490C95531B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.333{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7A66AEA3C4B61D56C9873DE83C93E0,SHA256=079B58660871F9AF8A99246B7EF1BBB9C45A52ABFC627FF6BF5AB30EBC2EC5E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.253{C64CDE3E-2013-6227-1602-000000003602}17405652C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.253{C64CDE3E-2013-6227-1602-000000003602}17405652C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.253{C64CDE3E-2013-6227-1602-000000003602}17405652C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.205{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.205{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.205{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.205{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.088{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.088{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.088{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.088{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2CE0-6227-8507-000000003602}4108C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.088{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.088{C64CDE3E-2013-6227-1602-000000003602}17406600C:\Windows\Explorer.EXE{C64CDE3E-2CE0-6227-8507-000000003602}4108C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80407|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHELL32.dll+17c35c|C:\Windows\System32\SHELL32.dll+19eb28|C:\Windows\System32\SHELL32.dll+2846f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c600|C:\Windows\System32\SHELL32.dll+179a7e|C:\Windows\System32\SHELL32.dll+73861|C:\Windows\System32\SHELL32.dll+76746|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x800000000000000032744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.089{C64CDE3E-2CE0-6227-8507-000000003602}4108C:\Program Files\Notepad++\notepad++.exe8.32Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Windows\system32\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=10DB8FAF4926EF216BFFE922D653EA0D,SHA256=C505A5CE5CAF2C01B0C784A9F05889D9445067595774DFDC4436DC800ED47501,IMPHASH=6BF41AAD44CE76BBBB7AA843748061B9{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000017378Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:01.156{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64EE738E5FFFDEE8E998A843987F039F,SHA256=BC2295665A4339DADDB6D7B0A5972AD30A1C27EF50E22D47BD4C5E5143B05848,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000032767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:01.841{C64CDE3E-1CE6-6227-1200-000000003602}464C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x800000000000000032766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:01.841{C64CDE3E-1CE6-6227-1200-000000003602}464C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000032765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:01.841{C64CDE3E-1CE6-6227-1200-000000003602}464C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000032764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:01.841{C64CDE3E-1CE6-6227-1200-000000003602}464C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d832d5-0x83392f41) 13241300x800000000000000032763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:01.841{C64CDE3E-1CE6-6227-1200-000000003602}464C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000032762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:01.841{C64CDE3E-1CE6-6227-1200-000000003602}464C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 23542300x800000000000000032761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:01.341{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB4A875D36391ACD37D471BFFBB52E9,SHA256=71DBD85832112DB1E67728D2AAD19C1423F53AF9A43FF12EC1250E1BB6F70452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:01.089{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F2245D0D82130AE8BEB49E0B81E9562,SHA256=80D0ECB4F1127C555E23C7621D97E8BBFDAF417A394BFC36FCC70AB445616A00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:01.089{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=177B0EE50704152537FB5ACEBA91F086,SHA256=60446B130F5A4E043F042C8671234210098024F399FA91A5C84514E257F3F7F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:02.357{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1253AE77B0438E08F4D7A67CF8097743,SHA256=E76F6FB22B53CB59C2D78C290131E3B290118B2E35BA9DFD8C52DA1C0324D045,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017380Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:00.377{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50340-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017379Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:02.156{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1547EAA165747392D8EE120B3C2AE7,SHA256=4F2F9AD0454F14A6E8D0F870EFEB9625896E2DC0F5515427BE14FD0634F2B134,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:00.753{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51002-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:03.371{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0280019D5F3CE7E1EE9F2B0032801F,SHA256=8B00CB3F0770B0C7540BCA96D301BD174D377520A46FCDF0885102BF249CB882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017381Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:03.157{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C133F8F777FBBB56C783CC0BD15A65A9,SHA256=392C3822C961CD9DDD10F7964D835E9ACCAD615E049E7B9193EA9449B89C7CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:04.388{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00435876DB4F894E0CDF3CE815C29EF6,SHA256=AF6387C3189BCA685F2D17304CDA600BC9C27427AFDE75F45CADE9E689F8E94C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017382Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:04.267{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA31527D67AA3E9FD4E535020C4B2F1F,SHA256=9971F8B881240BBE3C1A97F83FD21B368C7BDFACC1967FF542A1839301A60EC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017383Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:05.267{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AFC16908F2563C748861A939ECF2E08,SHA256=2E85282A61B2347E6CFA68439FFCE8CED8A810661B18AADD702160E6941EBFEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:05.388{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DAB920FC8CF4E10F330E9B47BF07D29,SHA256=6AC60AAF3E91E4C10E0B59DD24F7721E1E0BFB5B31FB7A7BDF1A59B654F74857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017384Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:06.268{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6AC18C47F80ACBD4FF58383133EDD57,SHA256=4E8D259E15D57EBA6AE0D4FE4746A60EAB36C94FCB0F8730AB507351D88BDBFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:06.404{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF876BA41F018A8A55212FF29A055464,SHA256=1BF5DEB278E0A6FD4F8D5D7AEFC2C67628325098015F4E7698AAD787357F62E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:07.442{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=595A7AE28E2C9CDB29DDE29509BE950B,SHA256=9287A9AB962CB16FB97745484170502901B87309609F1AC6096DBDD5D675FB2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017385Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:07.282{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE06060C935AB3DEC3BEA6E02F41164,SHA256=24A23896401A16C2A93592B73F67C81B283C7E9A835B22F5A368E0CD9B4DC742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:08.457{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F0743BB048CE6442E6F22925B794B85,SHA256=8630409109F23B63D1ED1E08B85A24E5775B2B67B287059A9C6B6E96AC8B566A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017387Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:08.282{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE711424B737A96B509B959E7C68565,SHA256=4A2D34253236A67EB4C3E56B8939828296BFC2A1615BDC876C551A0F2E47A670,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017386Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:05.442{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50341-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:09.472{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D2F4E61917755144B94500B5CE1108,SHA256=C7048781A28B2EEAC772A4E94080DC3D5DE833701A58DE510D7A57C566BD9DCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017388Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:09.423{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D958B29211423DBE339B2EE7B36D31BD,SHA256=686C89DD9AB7F91610BDAED27C3791627FE4F6222DFB63F6934A1E9746F72A72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017389Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:10.455{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0140449139AE782C33B7682A6277202,SHA256=7C2533686CCAEDCAD6F928279E6B9922AA21B9426314CD30677060EE13AC20C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:10.521{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD4A80DE05DBB8B0223DCFBEBBEDF66F,SHA256=3C9B1FC451150A1A6CF38514B60A538D3E1E2FDB1306125958100D99001E697D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:06.671{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51003-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017390Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:11.675{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=944B227A742903145381B51BF9F84E68,SHA256=D343A3DC168FBD50251C3A64730FB4E431613B6968E68A3AF4310567B20DE961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:11.540{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E247423ABD49DF490C9C7F67704AE352,SHA256=0F852F8B27054BBFBFE82B4A2AE775CB80AAB162E25D9E5154331EF1766E26DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017391Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:12.769{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B0C73C43B28E259B3A8A1D0FF5D8C34,SHA256=9086B154F4752C418FCAE893AC0FBB41503585A288DE648C4DD6D84642727063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:12.555{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4A855CE1DB0B76ED488F983BEE8EA4,SHA256=5EE3E7715A383610BD179258C96BFFB0D597A355A1613F1C68628D686656E31A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017392Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:13.957{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585070BF337DF015777B54A30B2FFF4E,SHA256=A781EDE89AD376FC77311A83ACC43776E0E845805FE7668A676B22CFDC56D1F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:13.556{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3031E17B95CB7766837A897F37D2D82D,SHA256=A1D281F3B4133E7CD5A04303460B7E2342A28F04EBA6ABA62E137331B86D30AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:14.587{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720B151C8DE69E8EAB5A687DE4ECAF67,SHA256=90E3ACD591C7E8DC0DF4E4834DF78F50D6DCD6F2BB0E47AAF09211A1B3E3E60F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017393Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:11.349{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50342-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000032787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:15.871{C64CDE3E-2013-6227-1602-000000003602}17405360C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801508D8FD8)|UNKNOWN(FFFFF994344A5B68)|UNKNOWN(FFFFF994344A5CE7)|UNKNOWN(FFFFF994344A0371)|UNKNOWN(FFFFF994344A1D3A)|UNKNOWN(FFFFF9943449FFF6)|UNKNOWN(FFFFF801505F0503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000032786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:15.871{C64CDE3E-2013-6227-1602-000000003602}17405360C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801508D8FD8)|UNKNOWN(FFFFF994344A5B68)|UNKNOWN(FFFFF994344A5CE7)|UNKNOWN(FFFFF994344A0371)|UNKNOWN(FFFFF994344A1D3A)|UNKNOWN(FFFFF9943449FFF6)|UNKNOWN(FFFFF801505F0503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000032785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:15.871{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF3eb76b.TMPMD5=64FB9FCD78FAB0ED4E13FDF8E97F1F05,SHA256=7B76CC0C5F789CF638B4ADD18D721569F8C707C2DA260EF14EB7E4CDC324AE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:15.620{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33E9534E912B3477130569560AE5CBE,SHA256=7EB61DEF63F7A25D7E2D16C0EBE93E1630C1098B3747B0D7C1D2A3CB185B8583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017394Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:15.051{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=876B2D0C0E3B3D033F4A0963B197C3B3,SHA256=DBB2E07D689393CE98224CB8155475CCC2E339681E50F68F45BE85E43B61473E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:11.838{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51004-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000032790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:16.839{C64CDE3E-1CE6-6227-0D00-000000003602}8841404C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2D00-000000003602}3052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:16.839{C64CDE3E-1CE6-6227-0D00-000000003602}8841404C:\Windows\system32\svchost.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000032788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:16.639{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=173A3FA75C147C3066C60AC58D176247,SHA256=42B90278798E99506AFD40A5739EAFE777412D2CA44C37A473D0AF03B2892C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017395Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:16.177{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A783DEA9F237CAC6C2847C6DD04DE958,SHA256=0C2B5F768AE39ABFE8DA806F449387C8996D55E571C71C50639C2DF6DCA91E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:17.702{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91163876ECE2AC28F066FDDD751D1475,SHA256=3C372C4424C2315149653B11A42424EFC63055AAFCF15F53BC2878A053AC1616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017396Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:17.177{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79CB04A7257F1DBFB7271B03B8D850F,SHA256=D89C6DC62B0B6A4FB80BE145B056FB93333494ECE61BDE5C69E4DDF07DA3D49E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:18.702{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833309346E79EA50D1961078C072D374,SHA256=4A8C126DE8E430904315031DA6BBEA2AC29609D5E42632B7728145C94907A314,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017398Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:16.367{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50343-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017397Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:18.177{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5ECF18AAEA7C4DB8066A1D133CF006,SHA256=AA54D853D5872356AFFC196AD61ACBFE88E67FA7D4FDF789185980929125E822,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:19.721{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3618C12739C598A1CAC74AAD3F595AF2,SHA256=003E246785C3AD9B3427E96253FDF5B507B2A1C3A334B17EA258A2A54AD87E0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017399Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:19.177{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779C04A07AE95B1E82B0825C7D9F5AB4,SHA256=FE31D9C903248E7E21731F2963E3BD737DDDCDF0FBB5B2041D25CA4DF03883B2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000032802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:19.454{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000032801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:19.454{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003ec565) 13241300x800000000000000032800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:19.454{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d832cd-0x2b8a8c9a) 13241300x800000000000000032799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:19.454{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d832d5-0x8d4ef49a) 13241300x800000000000000032798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:19.454{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d832dd-0xef135c9a) 13241300x800000000000000032797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:19.454{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000032796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:19.454{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003ec565) 13241300x800000000000000032795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:19.454{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d832cd-0x2b8a8c9a) 13241300x800000000000000032794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:19.454{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d832d5-0x8d4ef49a) 13241300x800000000000000032793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:16:19.454{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d832dd-0xef135c9a) 23542300x800000000000000032812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:20.738{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E872ACDE9CD8D393E519FC8D185D989E,SHA256=FB2159CFD397AF895A1E668F99A7072ECC6BDC76963DFA0BE1506A49EB30560A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017400Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:20.177{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8743C58CAC409EE97DA1E84BA7E47306,SHA256=9B89EE67460A663D1275A78D8885548E3B92969122B2ACEE372D024DD5C14259,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:20.538{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2CF4-6227-8607-000000003602}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:20.538{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:20.538{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:20.538{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:20.538{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:20.538{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2CF4-6227-8607-000000003602}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:20.538{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2CF4-6227-8607-000000003602}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:20.539{C64CDE3E-2CF4-6227-8607-000000003602}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.753{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D1A16C0D31252F12D74909BD238093,SHA256=6FAA2CF183F0A19EFFF77DE39F072167C6BF14430F5CCE777FDED82B00DB0C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017401Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:21.193{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFED60A5BF57A0E03DD5E55036136F44,SHA256=EBACA11FBBBE7242F30BA22D7B5032C8B6F8B2AAAAF4122352F1653B82FA9D2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.553{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D718E80AC3BFBFA92D94DF1E9CEF7EC,SHA256=37F12988A5C09C8D40B0DF8B290689321883A3882C7D0C23621AEB6926205B91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.553{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F2245D0D82130AE8BEB49E0B81E9562,SHA256=80D0ECB4F1127C555E23C7621D97E8BBFDAF417A394BFC36FCC70AB445616A00,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:17.751{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51005-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000032821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.300{C64CDE3E-2CF5-6227-8707-000000003602}32764932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.138{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2CF5-6227-8707-000000003602}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.138{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.138{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.138{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.138{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.138{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2CF5-6227-8707-000000003602}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.138{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2CF5-6227-8707-000000003602}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.139{C64CDE3E-2CF5-6227-8707-000000003602}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:22.755{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FFA3DA39B645CC8542B4AE66126251B,SHA256=ABD7905FCC8AF33D5EAE52EF396EA4C99CE7382EE49E3A456791284745817B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017402Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:22.193{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D89B1623FB79B9D5147CA00161DAF4B,SHA256=E35DB24AAC395411205B68A60DE2ED0F51BBE1D53E323FE4D7F3B8F1AB0D5479,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:22.622{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2CF6-6227-8807-000000003602}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:22.620{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:22.620{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:22.620{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:22.620{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:22.619{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2CF6-6227-8807-000000003602}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:22.619{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2CF6-6227-8807-000000003602}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:22.618{C64CDE3E-2CF6-6227-8807-000000003602}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:23.856{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-1CE1-6227-0100-000000003602}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x800000000000000032850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:23.756{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2FC0EBA6A07D81762781A11DE01929F,SHA256=66C67F629B6118E068DA54B1D7F08735A118DF30A298683BDDE9556AED6220EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017403Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:23.208{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=334D986665F4B9BC2FCCAFE69B285E7F,SHA256=E7E4A47BFACB1044EA5E6A96317840036CF7C58DDA98168C74767E807BA18634,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:23.741{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-1CE6-6227-1600-000000003602}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:23.741{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-1CE6-6227-1600-000000003602}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000032847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:23.624{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D718E80AC3BFBFA92D94DF1E9CEF7EC,SHA256=37F12988A5C09C8D40B0DF8B290689321883A3882C7D0C23621AEB6926205B91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:23.541{C64CDE3E-2CF7-6227-8907-000000003602}46484900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:23.372{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2CF7-6227-8907-000000003602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:23.372{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:23.372{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:23.372{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:23.372{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:23.372{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2CF7-6227-8907-000000003602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:23.372{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2CF7-6227-8907-000000003602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:23.373{C64CDE3E-2CF7-6227-8907-000000003602}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:23.171{C64CDE3E-2013-6227-1602-000000003602}17405708C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:23.171{C64CDE3E-2013-6227-1602-000000003602}17405708C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:23.171{C64CDE3E-2013-6227-1602-000000003602}17405708C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000032859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:22.348{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51008-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000032858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:22.348{C64CDE3E-1CE6-6227-1600-000000003602}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51008-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000032857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:22.341{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local51007-truefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000032856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:22.341{C64CDE3E-1CE6-6227-1600-000000003602}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local51007-truefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local389ldap 23542300x800000000000000032855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:24.771{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C053DA7014DE9767ADE5CE4D60734DF,SHA256=9537B18F5E0DE579704FCE6FADB611F981E1843B9C4B46305DE35BD3199AB249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:24.771{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F7174DE27172316080FDB010459FF42,SHA256=393D50E5BA9F3D7A064043F6B94A5E133521D997DFCDB65047D3A20441A4C5C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017405Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:21.367{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50344-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017404Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:24.208{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD9133373182A75BFC66546328A0F194,SHA256=94AB3380329EDE60F1D9CFC7B36BADFB40CC4F783BE9724BEEECA060E2139FC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.700{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51006-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000032852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:21.700{C64CDE3E-1CF7-6227-2800-000000003602}2856C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51006-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 23542300x800000000000000032862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:25.802{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC81A714B16F0AA46FF7BCA3E57F2A6,SHA256=401D5FC6857314890229C1F87349A385480DE73CA88F2C40496D9F8619F56B8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017406Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:25.224{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FDD8AED898A4DE4550852042C985139,SHA256=D0BF973346D83490A266CC54D20061EA67F06E09BEB0B30DE0D242C74DCEAFBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:22.457{C64CDE3E-1CE1-6227-0100-000000003602}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local51009-truefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local445microsoft-ds 354300x800000000000000032860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:22.457{C64CDE3E-1CE1-6227-0100-000000003602}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local51009-truefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local445microsoft-ds 23542300x800000000000000032881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:26.823{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3E60323604371259D83CA1062E201F,SHA256=1EACD1484EFBCB4DAA0BE867BC9E4755DCFF29A976C7AA544CB06647705FC334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017407Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:26.224{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4635C86BC78C8EF0F159410932F88C36,SHA256=3EC5787C7A7F2C50B2061E66F545D6E3AD5D30280529E05FBDA16026CF0137EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:26.802{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2CFA-6227-8B07-000000003602}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:26.802{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:26.802{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:26.802{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:26.802{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:26.802{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2CFA-6227-8B07-000000003602}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:26.802{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2CFA-6227-8B07-000000003602}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:26.802{C64CDE3E-2CFA-6227-8B07-000000003602}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000032872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:23.736{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51010-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000032871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:26.339{C64CDE3E-2CFA-6227-8A07-000000003602}25565376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:26.139{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2CFA-6227-8A07-000000003602}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:26.139{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:26.139{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:26.139{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:26.139{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:26.139{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2CFA-6227-8A07-000000003602}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:26.139{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2CFA-6227-8A07-000000003602}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:26.139{C64CDE3E-2CFA-6227-8A07-000000003602}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:27.871{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3117CF467078CAE71DBA800EC85FBDF,SHA256=C503DC971ADA091556BBB572B946ECD548BDE88F7563444CF47BF778F3496700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017408Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:27.238{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9004518D3FDB2A68E92365FF008DFF3,SHA256=384DC949E8718D9B1A19EA4621D53A1C0A56219EBDF309D77D42C78FF468C540,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:27.471{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2CFB-6227-8C07-000000003602}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:27.471{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:27.471{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:27.471{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:27.471{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:27.471{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2CFB-6227-8C07-000000003602}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:27.471{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2CFB-6227-8C07-000000003602}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:27.472{C64CDE3E-2CFB-6227-8C07-000000003602}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:27.140{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCB02134F1F2410D89424BB6BE81085D,SHA256=9C8FC87EA45A385AEDDAF9B647BBCEE256C4274B0AE23936C5D189CF9FD80931,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:27.024{C64CDE3E-2CFA-6227-8B07-000000003602}64165884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000032894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:28.876{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ABA960DC8790657D46343FBD6E9D137,SHA256=EE280ED318CD526949986E72AFE9FB2790D8DF702FFFB9E76229CA9F0CA0B89C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017410Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:26.397{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50345-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017409Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:28.238{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BACF8C3693C68AD43E59D8FCBBA9F5B7,SHA256=134B31DE0FD090322E7C283525F391CB7B0543432D652D4ED0156730622B4254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:28.472{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=698DF580DB9E9D657B0F3BB1F0BD6484,SHA256=3A1863750C9C6333508675C688A59A1CDFCF7CDF31B0A69A892F743FE9FE9E5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:29.891{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33DE9F7D1A3DF8D409C6BE3C51792F5F,SHA256=DBBFF02B16C5A39FBD146163E78C5B2243D48599244DE9901FB6FEA8A82F2993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017411Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:29.254{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF78A35CC6A091491AC6B31614FE2417,SHA256=9ED8CA31BCFB58A3043E3E83A80B014767C7280014928E6D61847866D11836AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:30.906{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B495A51251D2879144A289A1ED12E7E3,SHA256=17E54537057151D07A7AC76E72154568E92C8DE101B3E5790CAACF79B920A23B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017412Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:30.254{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=194E3D01E76B09E9B75F4B74799114B9,SHA256=2774E304F1D613E2AB218DA7CB792DDD3A75217CA629EA24AB15B0C19ECF1672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:31.907{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5EDD11B90F09758931275F3F83E0C9,SHA256=F43019270092E1F49E5EB7EE9C74C22A5BCB0E28916AF64ACB0F6AD690EFE43B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017413Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:31.254{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2B2EC4EEF8E3B4C80AFBAC72CABA658,SHA256=D0EBA4B9CF3BE12C8724A48477B623E91C2C492AC1DF8F4E0F4DCECF30A1C93A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:28.772{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51011-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:32.925{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D13BA88E13371C924D9B68418F17AAB5,SHA256=847FF38035C87C5864FACC8F53DAA4F3DA49A831FABCC4E6195804CEF51F2FD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017414Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:32.269{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=364FB2172E55FF7D61F5F44700DB45B6,SHA256=10591C84E1E36AB1FCE53DC06C39563B57E552B7BE93B2999B69BCFBB2709D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:33.943{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09356C4E9CD7B49347D381595DB9A3C,SHA256=472C2C8616005AAA99BEB53921B7C6847C7AC7D3BA16ABE55217601E10590F16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017444Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.879{DCBFC465-2D01-6227-4305-000000003702}964372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000017443Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:31.475{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50346-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000017442Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.629{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2D01-6227-4305-000000003702}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017441Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.629{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017440Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.629{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017439Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.629{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017438Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.629{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017437Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.629{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017436Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.629{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017435Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.629{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017434Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.629{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017433Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.629{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017432Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.629{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2D01-6227-4305-000000003702}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017431Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.629{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2D01-6227-4305-000000003702}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017430Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.630{DCBFC465-2D01-6227-4305-000000003702}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017429Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.504{DCBFC465-1FE0-6227-1200-000000003702}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=632281F3075BA71EEFF9AC1C3749B983,SHA256=BB653C31EA3BF540E927BF6309D3FDD01B8732EA0A022E77ACDBF50720EE310D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017428Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.285{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8F4D2DD26A596ADFE08C7C3132F416,SHA256=BB47A42D77CDD6344BC635B894EB17A13C5DE889791347013D10DD7B955273DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017427Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.051{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2D01-6227-4205-000000003702}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017426Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.051{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017425Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.051{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017424Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.051{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017423Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.051{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017422Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.051{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017421Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.051{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017420Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.051{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017419Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.051{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017418Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.051{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017417Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.051{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2D01-6227-4205-000000003702}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017416Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.051{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2D01-6227-4205-000000003702}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017415Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:33.052{DCBFC465-2D01-6227-4205-000000003702}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:34.945{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6894CDABC6387751BADA8EFB187F8949,SHA256=2DF0AFB667CDC7A04A988154FB61EA3102CEA890DE4F4EB02F617C6DD1B1F3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017447Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:34.285{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F931614B66A17648B00A1F55AAE823,SHA256=6751179884EAB17A91FC14EFA8F0547203093E6AC3AA4B60FC49C04C52EF13B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017446Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:34.051{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72EEFD7B56E8727A8F0B3CF1EADC2758,SHA256=4199CA128479EEAFB6B32BE796C6BCEA05982452304C41CCF340348A4943A347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017445Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:34.051{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EE669934EF4AC3FD35EB1C0E10944D1,SHA256=CFF8A8F9FFFCE835C67CC1115B4BE9CA9098F6435833163FC4E592C0EA47BBCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:35.976{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76806C2EFDC93BCD5284CA6349AA7513,SHA256=794325953B0AE6993A5E907F44D8582B1585407BC7DCD502E93C263B923A205A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017474Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.722{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2D03-6227-4505-000000003702}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017473Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.722{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017472Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.722{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017471Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.722{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017470Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.722{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017469Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.722{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017468Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.722{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017467Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.722{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017466Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.722{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017465Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.722{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017464Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.722{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2D03-6227-4505-000000003702}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017463Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.722{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2D03-6227-4505-000000003702}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017462Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.723{DCBFC465-2D03-6227-4505-000000003702}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017461Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.301{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27136B361E9F28B2424AA905F160B4D5,SHA256=81C309DE91C63D63A42BE269918DCA1C58C5D11986C94FF99E527A299CB28364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:35.645{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F07C45870CBB65FDDECE75453A23B8EF,SHA256=0A996C20B9B19ACEB3A6687B1920C3381533C7755B9B88D6A46E25196D6C10E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:35.645{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BB49023FF1FF7086F1EB59D96AF30A2,SHA256=0CA0EE37980B779ED345460AE0249A28DC851765E4B548F17788CB13F292CA6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017460Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.207{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2D03-6227-4405-000000003702}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017459Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.207{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017458Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.207{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017457Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.207{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017456Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.207{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017455Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.207{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017454Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.207{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017453Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.207{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017452Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.207{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017451Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.207{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017450Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.207{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2D03-6227-4405-000000003702}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017449Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.207{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2D03-6227-4405-000000003702}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017448Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:35.208{DCBFC465-2D03-6227-4405-000000003702}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:36.990{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28171F15B2F42004AD6C2BAE282611CE,SHA256=1CA7DC22663D44347C28670629AB20B914B4896EC0D42C0EF0491CF18725E111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017491Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:36.613{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD9EBFB3C4988BDADE0B8233EE2F3C4E,SHA256=921EC7891E9D0CDB4B3B0D722EF0734EB09E68802F4DB1AC020CBCD81EA0C33F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017490Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:36.535{DCBFC465-2D04-6227-4605-000000003702}39843572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017489Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:36.347{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2D04-6227-4605-000000003702}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017488Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:36.347{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017487Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:36.347{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017486Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:36.347{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017485Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:36.347{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017484Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:36.347{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017483Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:36.347{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017482Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:36.347{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017481Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:36.347{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017480Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:36.347{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017479Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:36.347{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2D04-6227-4605-000000003702}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017478Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:36.347{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2D04-6227-4605-000000003702}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017477Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:36.348{DCBFC465-2D04-6227-4605-000000003702}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017476Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:36.301{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72EEFD7B56E8727A8F0B3CF1EADC2758,SHA256=4199CA128479EEAFB6B32BE796C6BCEA05982452304C41CCF340348A4943A347,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017475Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:36.129{DCBFC465-2D03-6227-4505-000000003702}14442344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:37.551{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7A20C82DE5098D4AEB35B3B476033F6,SHA256=D5C9AEA0EFEEEC94DB9D16F3DC5C310CA8A197876427A7CCD76BAFAD8EAF7EE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017506Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:37.535{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF67EA27444EAFBA3E79B5C5B74CF10,SHA256=917DE6DBB8444EF9E8A18AB7C197AE9EAAE3BD7E3BF8E384DF02CDEF24A8E3A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:34.718{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51012-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000017505Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:37.207{DCBFC465-2D05-6227-4705-000000003702}14002640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017504Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:37.019{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2D05-6227-4705-000000003702}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017503Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:37.019{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017502Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:37.019{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017501Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:37.019{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017500Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:37.019{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017499Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:37.019{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017498Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:37.019{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017497Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:37.019{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017496Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:37.019{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017495Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:37.019{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017494Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:37.019{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2D05-6227-4705-000000003702}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017493Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:37.019{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2D05-6227-4705-000000003702}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017492Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:37.020{DCBFC465-2D05-6227-4705-000000003702}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:38.551{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AEB594A37E1CD633060535AF0C7EB9D,SHA256=DC3042A4F54EADBEE4DF3A1F4BADE3EF6F3D1F0289CBC8E384D8749AF97D319D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:38.006{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE73CB2FC13611EA7A4F822EDC5805BA,SHA256=160F0DD61550B0D22F1021CC2441682CE79EE788FB582AB02579A9F2543BEC19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:38.160{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2D06-6227-4805-000000003702}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:38.160{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:38.160{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:38.160{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:38.160{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:38.160{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:38.160{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:38.160{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:38.160{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:38.160{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:38.160{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2D06-6227-4805-000000003702}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:38.160{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2D06-6227-4805-000000003702}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:38.161{DCBFC465-2D06-6227-4805-000000003702}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000017524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:37.397{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50347-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:39.566{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5135163E91A7AEAC410B30017763AE4F,SHA256=1E95EC8DD1525B0196A84B780709A3FD21FFEBEDD74ACD80683A55E5DF3057ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:39.024{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEAA79ACFFCCC7AE3667862CD0A71023,SHA256=2140AC2212645BC91F24C1864C32398E87E8EEDE2E004272E773BDA3CD7566B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:39.207{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09B30A22E05309FB3A0F874DC30B01E5,SHA256=D6BC12D1A76720309A4C4972715C6F736361E18DB5373298997DDBEE675A2F49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:40.566{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59F1DD0C35EAB072271BF2D53CE6ECB,SHA256=BFB7EFDE5C2D3EAFC603E487C65CAA0513978F7490B87B03C13F8B3E5E5E8333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:40.488{C64CDE3E-292B-6227-FA06-000000003602}4996ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=7CFABACA2043AE2B48D5FDEFB98E83E5,SHA256=99FC54017A0484F85E21072EDBDE9BA252A2D125B917A40BE5556BFDA03D3CE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:40.041{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A774BD6048F317CD1825276C9030A27,SHA256=160B16F566A498082B8DA15954AB0BFF6F4143198BF90125E6C5DA3F8B4E3890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:41.785{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55353266F9007EC07DDF505514DCFC48,SHA256=B24A590D73B4CDDDA4EEC3123567B9942AC92C953960FC38B1D216BC27F0A7C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:41.072{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDA3EC5F2CA08C9A85E55E38BABE0A21,SHA256=8F62E0B8CFF8D858A245898FD2F505680029EBD6211643825D845AAB02F2FC58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:42.941{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3ADE95A895690560622B47A456BBD77,SHA256=3F4FA09EECB87B4DF6D1F6FE74813B66060608F78CB254F9BC5E45944EEF4052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:42.156{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B336F4950F67311E76446BA2F5608393,SHA256=28BA20FFF268268F19605AE2B4B563A22D83D6182C0A4EE98AB72319E1691C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:43.957{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFE400F60529C3954747A3282C275E80,SHA256=0166B91000543CA6553055D644FBFA9CE55FC764C63C7095ABB4E551A17AABD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:43.889{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:39.768{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51013-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:43.173{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB301A65336153E6B9D739B811952A30,SHA256=869FE3AB40498C9187F54074C29094CC64992F24C7CDB531CF9BB0B6E08571D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:41.981{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51014-false143.204.215.122server-143-204-215-122.fra53.r.cloudfront.net443https 354300x800000000000000032919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:41.980{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53818- 354300x800000000000000032918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:41.980{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local60546- 354300x800000000000000032917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:41.974{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local61984- 23542300x800000000000000032916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:44.188{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F2BF0B3BC6A5AB1410647CEC8F5F23F,SHA256=C22416431FBF9C05A9ADD745F0E68C391C49B4DF2529E2E5A787D649C71F712B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:44.129{DCBFC465-204C-6227-9900-000000003702}3048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:42.101{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51605- 354300x800000000000000032922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:42.072{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51015-false35.244.181.201201.181.244.35.bc.googleusercontent.com443https 23542300x800000000000000032921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:45.203{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB394A050059A2402B044D7040CA7AC9,SHA256=176BCFC97E4E74C0A6934F303C841A20C3D17C4F0F7DA889A8868213C6095EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:45.144{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9C802F5D76902E5EAD28A2CF1670046,SHA256=7168F83D286A907B2AA99C7278709D21C25C3E253CE3EDED9E37D70510D20CD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:46.238{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBDF476F4FFF93EB94F33EB69C7B00CC,SHA256=110BDB2EFE8332A05CBFC5EEA8E5015A755E12855ED1839ABF09D7C99C82AF85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:46.222{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B707AC8A2AD5A4AD1BBE4FDBDAB80DF1,SHA256=8F3B808192AE5C7BB1C26672A667842C0696DBFF7677DA83B10A0A9AC561C363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:46.187{C64CDE3E-292B-6227-FA06-000000003602}4996ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-03-08_101640MD5=C6E36C9B0EC3106D91DC53FD1AF35AE4,SHA256=3CC925AD1F614AED951E7587A5034D32751180CAA12DCAAA184607FE07E0F9BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:46.171{C64CDE3E-292B-6227-FA06-000000003602}4996ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=1430C209EFF7FD5583D3D311A56A889C,SHA256=75358E8028A9D2A1CC1782C71200ED0E529269E98BDC3389937C592CA9D2EB8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:43.365{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50349-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000017531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:42.444{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50348-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:47.288{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89071578FBBB46B464CD552F56DB655F,SHA256=B475AEBE08E08EF312B2C48969F58AE370158CFCCC743C94F380CDC4869CCEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:47.239{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=821DA9DFDC4199E4EA431B9733B34F66,SHA256=08D7B09A6B732FF51ECE7F13D217252552BB0B2670A1649CB690A96C9C0FB1C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:48.382{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=040E1DE80BB09861DDCA93E6831A7247,SHA256=A4EFDB61916024F03341A8FB872F0428F861939059396D945EA36EADEA643860,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:45.696{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51016-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:48.254{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16872A6E46E9B417F2DA2B186237882B,SHA256=95743D568B189DB5F0F2CAE36AE84DCFB6CD8B201506F019CCBA94489BA098D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:49.382{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C281DDDB6B3E173E4AC19A49ABEB6A19,SHA256=1F9E41EBFB9847A5F1B4EC688A79CC6CEC72F060C27CC61B2B6CE342F33D08E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:49.269{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED3852E1CBE24016C36172F1E718763D,SHA256=E61D6D87D38B042F511E197E36D2E78C7F142C5D39E60293084E941B9D116A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:50.398{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CC92CA6C38AF16AFB2328EB5BE5A23B,SHA256=73C094379A8F9EDCF80C77BEF80B0E972816E8A085852E711B1B24D15DFE8AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:50.299{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE46C651BAC2312EA87C58F75E545F10,SHA256=144E7CCD0B1908D9FA21E04124354435BDCB7C9FD5D432D7A15CF5E02744EAC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:51.398{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6AFB82721F08E83165264B68C76596,SHA256=15DBAE6FCCCC33F5062FD2719E93E884FBA511450A576377E8D72906C784513B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:51.317{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A089C9EE58AE35FEDE5C66BF468B0F,SHA256=AF8AD7A809BB53D7FBE854B2D11E90A43EF88796875C9945ADEC8B62CA557714,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:48.306{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50350-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:52.413{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=427263B3DD54CE9E5EF8EA89070AAD33,SHA256=69EAC65E8109946153D77A7DFE3C9566762EF1E114F6EF78A6753D6B08D89AA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:52.867{C64CDE3E-1CE6-6227-1000-000000003602}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3436D18986EFA3115F926B68DDE354D9,SHA256=5760FBC9F8C799CA0EC0D1ED12F1714E8B9D491E0DCAEB6F0630A06F38253594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:52.653{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\respondent-20220308090810-066MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:52.351{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F4F58538C8BE9FC50E3A650ADE8673,SHA256=31F9268F4E1ECB3365B35AF57E2A7089276A804BA370519D5CB3138E8D956049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:53.413{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48FFAF9E3BF744EA6EE443EB1B0CD1C6,SHA256=B58135432678DEBBCD8BBC58D658B73B306A2E313483FA98A21AC71766BAB5F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:53.935{C64CDE3E-292B-6227-FA06-000000003602}4996ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=E28021494C0AA9ACC99925747EF3F5A2,SHA256=81BC64D5D2411F186DE6D49664EBC6939B668F379185A777417370F50DF333B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:50.746{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51017-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:53.667{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\surveyor-20220308090808-067MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:53.366{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD2EB273F74DE479B488101072A2E758,SHA256=751CA8D73831397FB6DD61AD96BD0F9C8112A41285793F530BD00D97B233C7B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:54.413{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=639A4B1C955FB4198F221AE156EC4C1F,SHA256=3E9B6D138FCE37078B7DA461C9A92057B07A991CDEE4B440C53563C4369DC5F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:54.381{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517DAC4796C023A832C2D2690E34B47F,SHA256=38376CC81310D977AFB341C786C2CC9223E76B6AFD9355A0E637FA4FFC29475B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:55.429{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6FC86DE681793669DD72E0349B1B850,SHA256=7D82215F36CB72462A92A1910D9B5557471B375FFFDCC928E611D50AC297F342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:55.396{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1687D2EE789B781B31731DAB65AA3DBF,SHA256=C8CC71114A99E33D78A291DC75E0A290E569021746DC205B0876E46D1E923576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:56.445{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D34F367696E3BAD83CCE744578ED711,SHA256=553AD2E9E0D0C29CE96518D36CFCACF6DE1EC3C2789579F0B368CE2ED6CFEDE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:56.835{C64CDE3E-1CF7-6227-2B00-000000003602}2896NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:56.466{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740279CF0A507C41F309155540AA469A,SHA256=A5DDCBF6844B6493435BAE42F568875EB0AD4ED18EB84961D26EBC08B92A54D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:53.400{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50351-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:57.445{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F84D481893F5403A441564DEEAD225,SHA256=27CA398D180AE080A1211E6B3D51B382D3D986A5E7D6927214D00639A77C0275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:57.482{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14720E659BED6942E81143CCCF81F6F5,SHA256=0E2BF32C4342BB728868DB2DED4CC425CFECB8EE15EB298E5C0C314693A2D899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:58.460{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721808A358A40972495AD70C96294C88,SHA256=E6AABED34C2BEF2897D649CEC288D2CA55D61CDCE8ED52A7E43C20B1389309E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:55.760{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51019-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000032946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:55.408{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51018-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000032945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:58.496{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66047D54A2D7D6E16A0C2339BBFEE55,SHA256=127F31F7B3969A389DA47174A55E1A87C6BA2943F3F541FD9095028993FDED6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:59.476{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72AF4C95FD42CA6BFF6D4181B4825C5,SHA256=9E85A0E0F927DB13A147B8476E5D03373EBFD1DB60252524FDDE254EC492D204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:16:59.498{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE4EE7C5B5B2347DB8EF7233ACCF9B6A,SHA256=6F33D558F4D2ED7EC842F6A9A4CD97370243343C145CF60BD54B31E842C07E82,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:16:58.416{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50352-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:00.479{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62701364D518B004B2F03B7CF52173E3,SHA256=C9CE0022C3DC288A28D2BF1FC20E9F91F1AAE079064410A52EFF8E9CEA923621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:00.521{C64CDE3E-292B-6227-FA06-000000003602}4996ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=0BE6BC3461C55A311D5033A649A3843B,SHA256=18D24B8699831950CBF12A6A2EA68476E6CAF7AC2B49E7CB6215D03AE1F8AE00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:00.499{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26B5D593B164118C1753664A6289D12,SHA256=F6D0AEF09AA801E51B6CFB6F8FE2823A2676470B26847AB30C6DBB7C72081472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:00.059{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\respondent-20220308092036-054MD5=AD989BA5FC8211C68DEB145594DF29B5,SHA256=A92C9E9F939B5FA1DAF2D9D45D4066E44A16133766F98754DF452EC8E38921ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:01.481{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A21A1BFE0D3EEFB5D077077036037C,SHA256=6CDD49ECC5452AA08824E229F3CAD50B26B33F5ADA5E22F1EEDBD05428106342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:01.517{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F97E98E49E23BC3B0E49FDFCB35BF0,SHA256=951B3E67B0041F0138B69A5CCA46FBA0C6C6697FAE3EB670A906604DF6E192BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:01.058{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\surveyor-20220308092033-055MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:02.484{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=146C97405CCE5F7A6A5F16A8C12F6751,SHA256=B3EF9117E36DA787A1900455633D5B758FD5CB997E375E87DE9FDC7D0065A266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:02.535{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7346871CF9436713C1F6A51F62A289E2,SHA256=CBA101EBAE7786E9FE28A04F8D1F529FCA70746FE0F4288AB44E48C10EE5564F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:03.484{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B382CF37D60A7509139CA33A2DDDB6,SHA256=408B18B1F161E62C5BBA8974998529CAE0FE2B8FCA921FEE33271D50C3811403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:03.566{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0167603DF5D7FE446BF2824DF31FAA,SHA256=5B4F04B6397453F142256EFF96FA68FD6C47B6577231581336348E8A1739A215,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:01.644{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51020-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:04.566{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB1F41919116B1A74F0DAC37ABBD9EE,SHA256=F7746544C97C209428C49F962C4DDCB06D8BF3099BBA5ADE0E099A12BA3BBB02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:04.499{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71F7D96EB30DDCBED4ED7D71379AA45,SHA256=6C282009E66162BEFF7D7BA339F1359CDA950C57AD5F61DF865FE34B11CCD48E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:05.499{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3B77C6AB48A07F57A817B16B26FCBA,SHA256=9EB490519B5BAB681C540B2F96A2D0DCC4EAB05C55F1623C6FA97C821AC814E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:05.581{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47AA73151126045CECCBA9C502C7C126,SHA256=5D094B460DC9C2ABBED42D875E239E7B76CAF7C718E933B0EF0401440C4434B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:06.505{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9605859710044FD6CC84F85ED34B124,SHA256=B5BCEFCCA366651A2154D506FA7399B7F00AFEBAC67FB41BED8CB0E7EBDDEE28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:06.596{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A27F2F97A6DB51BDF67CF2B92D819625,SHA256=E44B90D6005E921448CAFAB4F2CA6090FD858D24BCECCA61C0551E6BCEEC9834,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:04.346{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50353-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:07.505{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3D77D22FC7E230EF825680F4A16AF38,SHA256=6C656DC4ECC329BA1EDE61EBC750230CEE051FA61FA5B0FE1BF13BE1E446A66B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:07.632{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA1714BD4F8CA4DAF0ED2FE217C6B31,SHA256=ED9AE7A233AFC3D0F7D741D318DAAFA9F986CFCD2E4737D73E5F7157B11F8800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:08.633{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=182D433939CE72813CB9CB430FC108F8,SHA256=D603B1E8D714F6F151686AE375CACB1E1D7F16ADC34A5FA7CC237AA6AAAB335C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:08.505{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3916FE3DD219E5135409D3EFB4CE03FB,SHA256=25E3159A9328E6377FEE100B35AF32C4EBC45B52EAAC9C9DDA63E2578C59D3A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:09.648{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=839349BFE61112CC9E4CF8CE2677C9EA,SHA256=15A97E63B188743B5E626586D60E9E3AEB6D20971BA81B2DA6234EC4BC9598B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:09.505{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D0C44A7A033850772E5CF99C5D8800,SHA256=E914BC88AA40AEF3ED2598C802E645796C975E510F8DF18404BD8FD36E0C3D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:10.505{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2C18B83E0461B1EC90AF512039E42E,SHA256=DF4DB1E6ED4D2A774635B8F5E43B11E1DEE88368E9AA43438F3B63BFA323A11B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:10.664{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B22BC0205B87D6E4B22EE674F60980C,SHA256=9194C899BB4E22F172DDC387634447CEC1181029005ED16EF98E2200FF0C9B02,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:06.758{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51021-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:11.505{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E3610A635A518F0318FB26C5D92DC3,SHA256=80362C6CA67A0310801FB831BE30104F8515649564515A25E36902B0B5E99ABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:11.664{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE3574E45FAC1F29CB7D15B9162288F,SHA256=FEFAD990581A7E96ECC2D5ADFD083C4E7E06DC7318909662E2FD0FDB7D1A1745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:12.748{C64CDE3E-292B-6227-FA06-000000003602}4996ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=EF10AEE3E4672BD19D56E0F97E3EA016,SHA256=BD3D8A48F2D7B599B51F47974EFDF4C5C43F27A16DC9BD89FD188C9063DFE12C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:12.679{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A758153965B2A9661F6F12D4ADFF8F3,SHA256=E4808D535C1CE67D89F740475E6C0B0032898E5FF71EAE8B7F429A47750B55D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:10.382{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50354-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:12.520{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70EF8FC59050B7C128DAA1AB122087E0,SHA256=25355461019ACCFCCDD8C5EF0103B62AC4EDA8AEEC346BCF3AED31028BC5BA1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:13.695{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8838456AD0661CFB665C03388940616,SHA256=3865AA92CDB09E99049716479EA72C533889D122CC187301E493F2C8FB1BC329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:13.536{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93AE374B5DA415AA69FDD698C9C8977,SHA256=7C3BAD6637BFADE94D78FB10859AE54DB71F7DB807089D7591F2C99D68C4AB76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:14.536{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4817C885E9CD10B08CEE9EA052935231,SHA256=590137CBF2DDD2E72C3584F106F1B1387BE6E966975EF547E5BB6ECB51893543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:14.697{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=575A3EB428CAFF1945F689E4FC5BE146,SHA256=330D60EEB2DF39FA3F7118151D38EB11DDBA3D1A0EDE36698C7E0ACB385D1E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:15.536{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F305F4DDF9470E5FE68123CC5FC16C7C,SHA256=7D3B8887713F016676C0DC0BA959F45365CD25FBF66000A8CAFF54065E2F1B83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:15.714{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E719112399551BC7B65646DDB793999B,SHA256=AACF6A878B776C012AA7F75A3908A06093785AA56E96978F8C3782AD7754D08C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:16.718{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF339BB9739707B2C02EB056982466D9,SHA256=21BA0C6B417AD61136DC2FAA1D5DDB8B6C806573EA304C581A0A3FEAD66C297B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:16.552{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246005299D56405E1B5DD4ED8360C197,SHA256=71D356CF076BB581ACAB9DAB53E10C6509674557E6570E796243A8E5028140F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:12.788{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51022-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000032971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:17.734{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559C5F3A06274AE8F907440405C9C1B5,SHA256=DB39B72B963F618DB95BC864303DFC5554B7DE85EFE144C518786C0DB223FB91,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:15.387{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50355-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:17.552{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E004C3A519A46498D606B0E46FF7A15,SHA256=F253EA2E3589F6B8C440B1D9B4D4EE2F23A2F0FB0BA81960B449BA56EA2FA097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:18.765{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C180D172A35A5737731B10128A62F68,SHA256=02B5D96B4EA90989C2DDC91A3F7F6F93A39D516D9AAC03ED4EBBB71E2C7D3456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:18.552{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC13D5EADBF791B1D2AE1573D763F4E,SHA256=8BDD65F22047186C27C1F484AD95CF074D9EDAC25E4183EBEBBCD07B20A69D68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:19.796{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74DDC1F5DA9CC1010F6F891B55A435CE,SHA256=98B82F159FB746DABB866AF14B4D85D7D9C8DBF386111D2C841DAE0AA3AA019F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:19.552{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=641C519620B4F831162467CC524EBE06,SHA256=CA807E2768301BD831EB354155F3E7CAFCCE20607F0D6641BBA9E5CBBCF5C52E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:20.552{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE1EAE319D09507822B82A37C138A82,SHA256=F90F4944E61EEC8FF44F258DACECB1A9FD592A222FDE5F5B2927BB577226E0FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:20.817{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0024A546DF17E7F52756D897FFA2E6A9,SHA256=F04FA1DC0DED75C96978C976B32C3DF4C3BEC1C939D65A1DA23F2096C30B8F9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:20.564{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2D30-6227-8D07-000000003602}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:20.564{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:20.564{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:20.564{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:20.564{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:20.564{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2D30-6227-8D07-000000003602}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:20.564{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2D30-6227-8D07-000000003602}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:20.565{C64CDE3E-2D30-6227-8D07-000000003602}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:21.834{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C98384BF9950F5A5A53581378C9B5C,SHA256=190EBA182E277A840C609304EBA031EC43887838C572FA91B9735278E2E5F710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:21.552{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=400F33F40690B5B70B0CD5711C4CDA0C,SHA256=A37D4F1697431259F5F36DC1E43F072E2D9D508419F4AA50F252A42A695306D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:21.596{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4812BAE3B260558D42F7B37E931B594F,SHA256=1AAFFFC434A32664AB5AE4707D15CD5E733CFFE106CBD9744A58932E53175F88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:21.580{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F07C45870CBB65FDDECE75453A23B8EF,SHA256=0A996C20B9B19ACEB3A6687B1920C3381533C7755B9B88D6A46E25196D6C10E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:21.480{C64CDE3E-2D31-6227-8E07-000000003602}41205364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000032991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:18.705{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51023-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000032990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:21.249{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2D31-6227-8E07-000000003602}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:21.249{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:21.249{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:21.249{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:21.249{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:21.249{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2D31-6227-8E07-000000003602}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:21.249{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2D31-6227-8E07-000000003602}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:21.250{C64CDE3E-2D31-6227-8E07-000000003602}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:22.552{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C888B16916823CD6F1FCE74B13A79C,SHA256=15FCCAD1067A36445D0B9C5D1AD6E40BD86B1EBC8A338A41FA98BEA51BB58387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:22.835{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC4413A3906B472D0779068BDB620CA,SHA256=5AC53D0FBB9FE324293A648C6C708E5B6A2E16F06A4D9AC8FB704094EAF09E93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:22.634{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2D32-6227-8F07-000000003602}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:22.634{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:22.634{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:22.634{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:22.634{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:22.634{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2D32-6227-8F07-000000003602}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:22.634{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2D32-6227-8F07-000000003602}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:22.634{C64CDE3E-2D32-6227-8F07-000000003602}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:22.414{C64CDE3E-1CE4-6227-0B00-000000003602}612660C:\Windows\system32\lsass.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:22.396{C64CDE3E-1CE6-6227-1400-000000003602}10685128C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:22.396{C64CDE3E-1CE4-6227-0B00-000000003602}612660C:\Windows\system32\lsass.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.935{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5345A3176586EE0D16C6DC12E191437,SHA256=8EFA572A16F7AC23604A6BE3C8A11975CD350006EC1B892A5E52B1FDB24C7525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:23.567{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04637DD92F73A8C208456562EB7C0D3D,SHA256=F6BF392EDCB55B6966C4A5A55018027D10EE406FAD2E41BFE5FBF1A42D07B988,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.797{C64CDE3E-2013-6227-1602-000000003602}17402880C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.797{C64CDE3E-2013-6227-1602-000000003602}17402880C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.797{C64CDE3E-2013-6227-1602-000000003602}17402880C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.797{C64CDE3E-2011-6227-0B02-000000003602}6005036C:\Windows\system32\taskhostw.exe{C64CDE3E-2D33-6227-9207-000000003602}5660C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.781{C64CDE3E-2011-6227-0B02-000000003602}6005036C:\Windows\system32\taskhostw.exe{C64CDE3E-2D33-6227-9207-000000003602}5660C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.781{C64CDE3E-2013-6227-1602-000000003602}17405652C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.781{C64CDE3E-2013-6227-1602-000000003602}17405652C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.781{C64CDE3E-2013-6227-1602-000000003602}17405652C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.766{C64CDE3E-2013-6227-1602-000000003602}17405652C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.766{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9207-000000003602}5660C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.766{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9207-000000003602}5660C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.766{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9207-000000003602}5660C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.766{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9207-000000003602}5660C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.766{C64CDE3E-1CE6-6227-1600-000000003602}12964644C:\Windows\system32\svchost.exe{C64CDE3E-2D33-6227-9207-000000003602}5660C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.766{C64CDE3E-1CE6-6227-1600-000000003602}12961336C:\Windows\system32\svchost.exe{C64CDE3E-2D33-6227-9207-000000003602}5660C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.766{C64CDE3E-2D33-6227-9207-000000003602}56606028C:\Windows\system32\conhost.exe{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.750{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2D33-6227-9207-000000003602}5660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.735{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.735{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.735{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.735{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.735{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.735{C64CDE3E-2013-6227-1602-000000003602}17406600C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a90ff|C:\Windows\System32\windows.storage.dll+a8d75|C:\Windows\System32\windows.storage.dll+a8866|C:\Windows\System32\windows.storage.dll+a9cd8|C:\Windows\System32\windows.storage.dll+a868e|C:\Windows\System32\windows.storage.dll+ab4a5|C:\Windows\System32\windows.storage.dll+ab824|C:\Windows\System32\windows.storage.dll+204ad4|C:\Windows\System32\windows.storage.dll+ad68a|C:\Windows\System32\windows.storage.dll+ad442|C:\Windows\System32\SHELL32.dll+3fa6d|C:\Windows\System32\SHELL32.dll+3e606|C:\Windows\System32\SHELL32.dll+80381|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHELL32.dll+1758c0|C:\Windows\System32\SHELL32.dll+17c35c|C:\Windows\System32\SHELL32.dll+19eb28|C:\Windows\System32\SHELL32.dll+17c4f6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x800000000000000033018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.733{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon"C:\Windows\system32\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000033017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.650{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4812BAE3B260558D42F7B37E931B594F,SHA256=1AAFFFC434A32664AB5AE4707D15CD5E733CFFE106CBD9744A58932E53175F88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.597{C64CDE3E-2D33-6227-9007-000000003602}70125232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.382{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2D33-6227-9007-000000003602}7012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.382{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.382{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.382{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.382{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2D33-6227-9007-000000003602}7012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.382{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.382{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2D33-6227-9007-000000003602}7012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.382{C64CDE3E-2D33-6227-9007-000000003602}7012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:24.950{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=789C9AAA597559164C5402B1F9A1DD7C,SHA256=196E68A1948DA75B0B292FF38D128D55A7EEDF76AF0956FD57E3944E99B062DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:24.567{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E18AAB83CF0F46EC865ABB98D60C0EFF,SHA256=1B45292D6F37443A5C534180DF5BF8073974DCD69B3B64BBB4455897A54E88A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:24.750{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DD04181C27F67FAC38BC120D9BB2FCC,SHA256=76D4982372EA18E81F9A3D82589D5ECBA2CA6F84A72108141DF21119E5A8D130,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:24.750{C64CDE3E-1CE6-6227-0D00-000000003602}8841404C:\Windows\system32\svchost.exe{C64CDE3E-1CE6-6227-1600-000000003602}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000033044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:21.727{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51024-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000033043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:21.727{C64CDE3E-1CF7-6227-2800-000000003602}2856C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51024-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000017579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:21.320{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50356-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:25.996{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3367A0604E3B5640A364CD56FDABAF5,SHA256=98A46CBAEF2C3DF7D2BC9A603646CDC69B428344449443AA00574710839B457B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:25.567{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=567D7F931DF97ADA3439CF71CF11154E,SHA256=EBACA53A6F38973E7FB2A04FDDCD223100F46CBC6131863E99581BE405E4968E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:26.572{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC81231AD31EBCB13F322D0DA33B2F4D,SHA256=6D61609D20C1138A67D5141EB1363AD103E2C749DB07871833341579B1AC42B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:26.817{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2D36-6227-9407-000000003602}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:26.815{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:26.814{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:26.814{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:26.814{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:26.814{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2D36-6227-9407-000000003602}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:26.814{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2D36-6227-9407-000000003602}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:26.813{C64CDE3E-2D36-6227-9407-000000003602}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:26.364{C64CDE3E-2D36-6227-9307-000000003602}63006204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:26.149{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2D36-6227-9307-000000003602}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:26.149{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:26.149{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:26.149{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:26.149{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:26.149{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2D36-6227-9307-000000003602}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:26.149{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2D36-6227-9307-000000003602}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:26.150{C64CDE3E-2D36-6227-9307-000000003602}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:27.588{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE4B3D22CE16A9B3938A179469CEAA6,SHA256=668BB1668B11B7C21F6D7D38304A27CF0C64F43C475F26A8F36C6E1208C67DA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:23.788{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51025-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000033076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:27.319{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2D37-6227-9507-000000003602}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:27.316{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:27.316{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:27.316{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:27.315{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2D37-6227-9507-000000003602}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:27.315{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:27.315{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2D37-6227-9507-000000003602}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:27.314{C64CDE3E-2D37-6227-9507-000000003602}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:27.150{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68B053C180CC77143F91D040757D0852,SHA256=F8DF797E4628FA8A65E23EEFADAAC65E5E51BBC37C701FC68633C99C0A84AB68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:27.035{C64CDE3E-2D36-6227-9407-000000003602}55643724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:27.019{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC598D88249AB9E0357660B1DACD72C3,SHA256=7F42234DD33DB4F69C4EBE2EBC09B8057F61F6E4DCF02F0E3B3FD67B1477C340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:28.603{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=159EBB9200E769AC7C977226E7BE6ECC,SHA256=7C09F8ED9D5D5A9BA8F9ED30285847ABBED99B14884E35BC6CD74BE8D4F344AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:28.318{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D59D82D978D86FCEADA3688C9DF76F26,SHA256=39937EE7C45269FA5748CA66DDC664FBC26BDC491874B97B32FECC59885DF89F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:28.041{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C3432421FBC0BCD39C1F194F5C5D09,SHA256=6F24AAE1763E081CAA0DADB42B54BA3816FCB1F9861368816C24FD898FC53D54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:29.603{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB1E9870B8E7F266CE658EB31CA0A0D7,SHA256=C1DA99D472A1414AFE18928F95C2CED5935D9B3B101BB81141A0565C7D283A78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:29.921{C64CDE3E-2013-6227-1602-000000003602}17406600C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a220|C:\Windows\System32\ole32.dll+8c32e|C:\Windows\System32\ole32.dll+8c7fb|C:\Windows\System32\SHELL32.dll+2c8f2d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x800000000000000033081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:29.921{C64CDE3E-2013-6227-1602-000000003602}17406600C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c1a5|C:\Windows\System32\ole32.dll+8c7fb|C:\Windows\System32\SHELL32.dll+2c8f2d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 23542300x800000000000000033080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:29.052{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2673470A8DA077A30204F421D88D3690,SHA256=500F7F2DDD29B2D767440826152560D452F06D4830EA740A02DE8BEEA85FD8AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:26.340{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50357-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:30.603{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3340C386E755D7C144E907BB703741,SHA256=CF42484604C5DF82D1893990D92D45ABBA2F8D578C0349B8206DF954A9520230,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000033122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:17:30.952{C64CDE3E-2D3A-6227-9707-000000003602}5552C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=04596B4666E74A2242E4EBBD3CC5E0DA16F808A47E6C3C4CCE6C4BD2FE3DA95C 13241300x800000000000000033121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:17:30.952{C64CDE3E-2D3A-6227-9707-000000003602}5552C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 16341600x800000000000000033120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local2022-03-08 10:17:30.952C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=04596B4666E74A2242E4EBBD3CC5E0DA16F808A47E6C3C4CCE6C4BD2FE3DA95C 13241300x800000000000000033119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:17:30.952{C64CDE3E-2D3A-6227-9707-000000003602}5552C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x800000000000000033118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:17:30.952{C64CDE3E-2D3A-6227-9707-000000003602}5552C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x800000000000000033117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:17:30.952{C64CDE3E-2D3A-6227-9707-000000003602}5552C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x800000000000000033116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:17:30.952{C64CDE3E-2D3A-6227-9707-000000003602}5552C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x800000000000000033115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:17:30.952{C64CDE3E-2D3A-6227-9707-000000003602}5552C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x800000000000000033114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:17:30.952{C64CDE3E-2D3A-6227-9707-000000003602}5552C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x800000000000000033113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:17:30.952{C64CDE3E-2D3A-6227-9707-000000003602}5552C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x800000000000000033112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:17:30.952{C64CDE3E-2D3A-6227-9707-000000003602}5552C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x800000000000000033111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:17:30.952{C64CDE3E-2D3A-6227-9707-000000003602}5552C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x800000000000000033110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:17:30.952{C64CDE3E-2D3A-6227-9707-000000003602}5552C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x800000000000000033109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:30.936{C64CDE3E-1CE4-6227-0B00-000000003602}612660C:\Windows\system32\lsass.exe{C64CDE3E-2D3A-6227-9707-000000003602}5552C:\Program Files\ansible\sysmon\Sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:30.852{C64CDE3E-2D33-6227-9207-000000003602}56606028C:\Windows\system32\conhost.exe{C64CDE3E-2D3A-6227-9707-000000003602}5552C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:30.852{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:30.852{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:30.852{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:30.852{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:30.852{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2D3A-6227-9707-000000003602}5552C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:30.852{C64CDE3E-2D33-6227-9107-000000003602}52841416C:\Windows\system32\cmd.exe{C64CDE3E-2D3A-6227-9707-000000003602}5552C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:30.821{C64CDE3E-2D3A-6227-9707-000000003602}5552C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 354300x800000000000000033100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:26.910{C64CDE3E-1CE1-6227-0100-000000003602}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local138netbios-dgm 354300x800000000000000033099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:26.910{C64CDE3E-1CE1-6227-0100-000000003602}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 10341000x800000000000000033098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:30.299{C64CDE3E-2013-6227-1602-000000003602}17402880C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:30.299{C64CDE3E-2013-6227-1602-000000003602}17402880C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:30.299{C64CDE3E-2013-6227-1602-000000003602}17402880C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:30.283{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9207-000000003602}5660C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:30.283{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9207-000000003602}5660C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:30.283{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9207-000000003602}5660C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:30.283{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9207-000000003602}5660C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:30.168{C64CDE3E-1CE6-6227-1600-000000003602}12964644C:\Windows\system32\svchost.exe{C64CDE3E-2D3A-6227-9607-000000003602}1148C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:30.168{C64CDE3E-1CE6-6227-1600-000000003602}12961336C:\Windows\system32\svchost.exe{C64CDE3E-2D3A-6227-9607-000000003602}1148C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:30.152{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-2D3A-6227-9607-000000003602}1148C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:30.136{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2D3A-6227-9607-000000003602}1148C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:30.136{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2D3A-6227-9607-000000003602}1148C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:30.136{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-2D3A-6227-9607-000000003602}1148C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:30.068{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D4E741DC2DA523EEF99AF608650766,SHA256=D3EF637AEB633A833E683608909BDD9F654074A5D2AA865F327558BC3FE44286,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:30.052{C64CDE3E-2013-6227-1602-000000003602}17406600C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a12e|C:\Windows\System32\ole32.dll+89a2b|C:\Windows\System32\ole32.dll+88be7|C:\Windows\System32\ole32.dll+8c817|C:\Windows\System32\SHELL32.dll+2c8f2d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x800000000000000033083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:30.052{C64CDE3E-2013-6227-1602-000000003602}17406600C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f02|C:\Windows\System32\ole32.dll+899f9|C:\Windows\System32\ole32.dll+88be7|C:\Windows\System32\ole32.dll+8c817|C:\Windows\System32\SHELL32.dll+2c8f2d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 23542300x800000000000000017588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:31.619{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2A0E4475845CAC3CF91F617B9932FCC,SHA256=F23B63B6109F6EC0A9CF84BD364DB6CF0ECC237C65D00CACB9E577DA986E8C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:31.237{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D20F69BA2234D9895F852FF2E914420,SHA256=92C18F6269531767411E9D91A2BFD87CB2DA502A9509E3B7578AFA1AC8087C1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:31.237{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4791E84275A4014CD0F6AABC43A77F37,SHA256=71CE20178D08219FD0E6DF7086080C58EA2ACD9CE316D50813679EF5154D1D5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:32.619{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3811AE5BA0A3C575D81DDCD7F7DD0C,SHA256=A701CDD52C6043DA0C72FD38EFD5782538BB794DF7A502D7C4DD02880B6EF32F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:29.762{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51026-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:32.268{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F69CECF0BE5A03B890DF066DA7BDCB,SHA256=AC8301A360E3C2627A748B70FD5493E874FCE8D96AAA6EA018E3B3C178C6047E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.822{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65F12DD6954BB761EC56CB3CC645858F,SHA256=9ED263F7A9E09D537ABC7F930A8E43BE85A9323B7B65ACE7F9725DD9DF4ED986,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.806{DCBFC465-2D3D-6227-4A05-000000003702}29203732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:33.667{C64CDE3E-2013-6227-1602-000000003602}17402880C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:33.667{C64CDE3E-2013-6227-1602-000000003602}17402880C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:33.667{C64CDE3E-2013-6227-1602-000000003602}17402880C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:33.652{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:33.652{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:33.652{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:33.652{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:33.298{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C5921D2C0D2644417FABAE001F7ADF8,SHA256=F54F059B5A76D37992FBA5F6582436D1AACC2C52215407D33F8759D44DBC5439,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.556{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2D3D-6227-4A05-000000003702}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.556{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.556{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.556{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.556{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.556{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.556{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.556{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.556{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.556{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.556{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2D3D-6227-4A05-000000003702}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.556{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2D3D-6227-4A05-000000003702}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.557{DCBFC465-2D3D-6227-4A05-000000003702}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.509{DCBFC465-1FE0-6227-1200-000000003702}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0B48A28429392B981B57F8C67EF06B62,SHA256=CDEA00975EC11641A5ECDE8A9332D651DD9F66070765AC610045C07C3DDD7FCE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.056{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2D3D-6227-4905-000000003702}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.056{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.056{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.056{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.056{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.056{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.056{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.056{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.056{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.056{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.056{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2D3D-6227-4905-000000003702}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.056{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2D3D-6227-4905-000000003702}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:33.057{DCBFC465-2D3D-6227-4905-000000003702}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:34.837{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E491D70C0ADF16C3D718442D898B304B,SHA256=A357B4337AE59AFCBAEF1CBF57B3CE4782FD382FDD55A0273AA82133E6A375E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:34.320{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40DD4E137DFAFA7C71581411F5BBDAF0,SHA256=BCAA598FCEB8B84976893326282329EFE2EA8DD5691D6BFAB144DB2A00651CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:34.259{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7768CBAFD8946472581D31EB398337FF,SHA256=B5455CB1DCB557E3512D5BA0D3CE8627C94CA3B3CBAC59BDEE5D4308D417DC94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:34.259{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51A6714F07786154D3A0BCD73AB8C1D8,SHA256=59BC597BF43D957C65461F1901A77F6FD61EEBACF93D81DCC9E10E27CBFEF952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:35.335{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3847DB5625483A6F1B9C5E5A2C432F0,SHA256=E468F70DA724BBEAB939A6E071509CF867117A8B874057E47753775CD70CB7E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.744{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2D3F-6227-4C05-000000003702}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.744{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.744{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.744{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.744{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.744{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.744{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.744{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.744{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.744{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.744{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2D3F-6227-4C05-000000003702}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.744{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2D3F-6227-4C05-000000003702}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.745{DCBFC465-2D3F-6227-4C05-000000003702}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.306{DCBFC465-2D3F-6227-4B05-000000003702}35083540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000017635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:32.371{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50358-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000017634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.072{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2D3F-6227-4B05-000000003702}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.072{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.072{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.072{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.072{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.072{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.072{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.072{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.072{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.072{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.072{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2D3F-6227-4B05-000000003702}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.072{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2D3F-6227-4B05-000000003702}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.073{DCBFC465-2D3F-6227-4B05-000000003702}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:36.744{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE0-6227-1300-000000003702}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:36.744{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE0-6227-1300-000000003702}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:36.744{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE0-6227-1300-000000003702}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:36.244{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A4AB3B0435A70C1E477005BB3A715C5,SHA256=9FB14E02071F6B9C018509B71E2FFE8E957D9B81A8849A65C294DFB95B7BC1DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:36.244{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7768CBAFD8946472581D31EB398337FF,SHA256=B5455CB1DCB557E3512D5BA0D3CE8627C94CA3B3CBAC59BDEE5D4308D417DC94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:36.244{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2D40-6227-4D05-000000003702}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:36.244{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:36.244{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:36.244{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:36.244{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:36.244{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:36.244{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:36.244{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:36.244{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:36.244{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:36.244{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2D40-6227-4D05-000000003702}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:36.244{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2D40-6227-4D05-000000003702}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:36.245{DCBFC465-2D40-6227-4D05-000000003702}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:35.994{DCBFC465-2D3F-6227-4C05-000000003702}39962908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:36.667{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:36.667{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:36.336{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC8A85A8D002FF11E2F714CB84FCC22F,SHA256=970352B9FCBABF9E4F1F9C76F1CA22F585EE8C6A29F5DC97A6DE6F0506B221BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:37.353{DCBFC465-2D41-6227-4E05-000000003702}7323544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:37.259{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3248AC677C6E5FF90D810080A5F09A9,SHA256=FB0DA1C271DBABDFC08E91A439A8152E777B49BC28DC0571C69B7B7EA1C69A5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:37.134{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2D41-6227-4E05-000000003702}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:37.134{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:37.134{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:37.134{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:37.134{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:37.134{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:37.134{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:37.134{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:37.134{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:37.134{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:37.134{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2D41-6227-4E05-000000003702}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:37.134{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2D41-6227-4E05-000000003702}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:37.135{DCBFC465-2D41-6227-4E05-000000003702}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:37.040{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F795C74429903244180300EBE55A813C,SHA256=3663CFB6855E2A3A0C847A76CF4466A38FCA9F8F7888B40CC7E753E2D5ADE326,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:37.998{C64CDE3E-1CE6-6227-1600-000000003602}12964644C:\Windows\system32\svchost.exe{C64CDE3E-2D41-6227-9907-000000003602}5448C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:37.998{C64CDE3E-1CE6-6227-1600-000000003602}12961336C:\Windows\system32\svchost.exe{C64CDE3E-2D41-6227-9907-000000003602}5448C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:37.983{C64CDE3E-2D41-6227-9907-000000003602}54484244C:\Windows\system32\conhost.exe{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:37.967{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2D41-6227-9907-000000003602}5448C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:37.951{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:37.951{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:37.951{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:37.951{C64CDE3E-2013-6227-1602-000000003602}17404612C:\Windows\Explorer.EXE{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a90ff|C:\Windows\System32\windows.storage.dll+a8d75|C:\Windows\System32\windows.storage.dll+a8866|C:\Windows\System32\windows.storage.dll+a9cd8|C:\Windows\System32\windows.storage.dll+a868e|C:\Windows\System32\windows.storage.dll+ab4a5|C:\Windows\System32\windows.storage.dll+ab824|C:\Windows\System32\windows.storage.dll+204ad4|C:\Windows\System32\windows.storage.dll+ad68a|C:\Windows\System32\windows.storage.dll+ad442|C:\Windows\System32\SHELL32.dll+3fa6d|C:\Windows\System32\SHELL32.dll+3e606|C:\Windows\System32\SHELL32.dll+80381|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHELL32.dll+1758c0|C:\Windows\System32\SHELL32.dll+17c35c|C:\Windows\System32\SHELL32.dll+19eb28|C:\Windows\System32\SHELL32.dll+17c4f6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 10341000x800000000000000033143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:37.951{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:37.951{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:37.952{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Temp"C:\Windows\system32\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000033140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:37.351{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5AD51C2BEE3F78978EAB714D7324B48,SHA256=FD4CE1EFB90596870A087E8CB25956FCD6C1875B363A1FB3510BD8623E296401,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:38.181{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2D42-6227-4F05-000000003702}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:38.181{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:38.181{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:38.181{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:38.181{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:38.181{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:38.181{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:38.181{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:38.181{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:38.181{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2D42-6227-4F05-000000003702}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:38.181{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:38.181{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2D42-6227-4F05-000000003702}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:38.182{DCBFC465-2D42-6227-4F05-000000003702}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:38.072{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=869AEC89741E76F1951084968A8181BC,SHA256=673490D848E5B63CA635DB09C6B4AEB13574258BDC5978AD18AC84DE0C1034FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:38.966{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AF0CE4638EFE96E661C1E9BB21D9C00,SHA256=B73749B227C4FC590F9EAC76700F8850494EB8333FA09CA1EB0622203F233FA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:38.966{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD7984BA6BE9208C03B2394E85CB1DD5,SHA256=462C42B024FE8534D3DA8546657ED799B7AA9972EF640E35DA1B3795342D367C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:35.805{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51027-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:38.367{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFEA900C7E944575340C08F89B9A8689,SHA256=EF98CBD9715A79253A30CE8E5AF5DC4719BBAC635778B0D720C74AAC5A864381,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:38.036{C64CDE3E-2013-6227-1602-000000003602}17402880C:\Windows\Explorer.EXE{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:38.036{C64CDE3E-2013-6227-1602-000000003602}17402880C:\Windows\Explorer.EXE{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:38.036{C64CDE3E-2013-6227-1602-000000003602}17402880C:\Windows\Explorer.EXE{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:38.020{C64CDE3E-2011-6227-0B02-000000003602}6005036C:\Windows\system32\taskhostw.exe{C64CDE3E-2D41-6227-9907-000000003602}5448C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:38.020{C64CDE3E-2011-6227-0B02-000000003602}6005036C:\Windows\system32\taskhostw.exe{C64CDE3E-2D41-6227-9907-000000003602}5448C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:38.020{C64CDE3E-2013-6227-1602-000000003602}17405104C:\Windows\Explorer.EXE{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:38.019{C64CDE3E-2013-6227-1602-000000003602}17405104C:\Windows\Explorer.EXE{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:38.019{C64CDE3E-2013-6227-1602-000000003602}17405104C:\Windows\Explorer.EXE{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:38.018{C64CDE3E-2013-6227-1602-000000003602}17405104C:\Windows\Explorer.EXE{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:38.017{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D41-6227-9907-000000003602}5448C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:38.016{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D41-6227-9907-000000003602}5448C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:38.016{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D41-6227-9907-000000003602}5448C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:38.016{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D41-6227-9907-000000003602}5448C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:39.306{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C6154FD3B6A4B1287C32B8B23F82C9,SHA256=FA5AD3E3CDA02158F7201E67151DC33FC7598054764B8165027CCBD1FEFB3470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:39.381{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748FBBA67D6D6CFEA2571B8A519277C3,SHA256=34C57729084D8030FC29397CA987592FDF4F896CF5C13EEBD845D530570A29F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:39.244{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0275BEE8F58EF5F80521DD00304B7F5D,SHA256=F71A474D98E2CD3755352257A5A98D8F225C9AD73A3D837746B2710397A60A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:40.540{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECA0D8D049243C15113914543E9C92D,SHA256=90BE0B47FAF836D031CEF087A2C84D1607A44FF3A00419BCF14279D6D048E09B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:40.414{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BDCF3079F3192981B0B7EC3CCAE7A6,SHA256=D0A24BAE8B64A6D715F39EF00A6B54E27A2D8B6E3934911D42BB509C07516956,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:37.433{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50359-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:41.665{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11DA6813AED560216E8B701005F1344F,SHA256=691D4E9580CED2544221D49A65E90F606999D8652418C751056DED0FAC53451B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:41.434{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=433D04F90F18B4BBB0EA802630B3B2A5,SHA256=433ADEBA54EC388C92AFE9DE540C97C43E69C1DBA0FFB852B38A2FE92ACF258E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:42.665{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2745954ABF15282AC1A5BC4D50C02933,SHA256=0C2DB3D1BD0C22012B4E6124D65F48BF0BD56F071828BD361F5BA65623380F9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.979{C64CDE3E-2D41-6227-9907-000000003602}54484244C:\Windows\system32\conhost.exe{C64CDE3E-2D46-6227-9C07-000000003602}7132C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.948{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.948{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.948{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2D46-6227-9C07-000000003602}7132C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.948{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.948{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.948{C64CDE3E-2D41-6227-9807-000000003602}23606424C:\Windows\system32\cmd.exe{C64CDE3E-2D46-6227-9C07-000000003602}7132C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.948{C64CDE3E-2D46-6227-9C07-000000003602}7132C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.895{C64CDE3E-2D41-6227-9907-000000003602}54484244C:\Windows\system32\conhost.exe{C64CDE3E-2D46-6227-9B07-000000003602}2888C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.895{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.895{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.895{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.895{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.895{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2D46-6227-9B07-000000003602}2888C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.895{C64CDE3E-2D41-6227-9807-000000003602}23606424C:\Windows\system32\cmd.exe{C64CDE3E-2D46-6227-9B07-000000003602}2888C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.904{C64CDE3E-2D46-6227-9B07-000000003602}2888C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.864{C64CDE3E-2D41-6227-9907-000000003602}54484244C:\Windows\system32\conhost.exe{C64CDE3E-2D46-6227-9A07-000000003602}5668C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.864{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.864{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.864{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.864{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.864{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2D46-6227-9A07-000000003602}5668C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.864{C64CDE3E-2D41-6227-9807-000000003602}23606424C:\Windows\system32\cmd.exe{C64CDE3E-2D46-6227-9A07-000000003602}5668C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.867{C64CDE3E-2D46-6227-9A07-000000003602}5668C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000033172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.448{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B7736DF9C306F5D6BBFB667DC72F6C,SHA256=A02064CB8D2C699997AFEAAD2BFBD5E1F9A6CA1C256A6444CA281713CA8F3999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:43.681{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E12A4D8A2F7C4530E8F8C5CC2E16372F,SHA256=736124B15D39A47D99636AA483A33056057591AE1DC55F59B975BB3775C44A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.864{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AF0CE4638EFE96E661C1E9BB21D9C00,SHA256=B73749B227C4FC590F9EAC76700F8850494EB8333FA09CA1EB0622203F233FA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.449{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E797DF738EC4CF30E9803D4270A789F5,SHA256=0F4B43AB76ECABC6C85723ADE8766A06BD76651D317C49BB7B19F38D0E156591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.280{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE302844C1C2E6C1E08A5665EDD60C8B,SHA256=07FE5D1BCDA565E2C7B10FA93A057D0FBDD1CB8D7DB0EFFA6995485EE2586016,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.218{C64CDE3E-2D41-6227-9907-000000003602}54484244C:\Windows\system32\conhost.exe{C64CDE3E-2D47-6227-A107-000000003602}3856C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.218{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.218{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.218{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.218{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.218{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2D47-6227-A107-000000003602}3856C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.218{C64CDE3E-2D41-6227-9807-000000003602}23606424C:\Windows\system32\cmd.exe{C64CDE3E-2D47-6227-A107-000000003602}3856C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.229{C64CDE3E-2D47-6227-A107-000000003602}3856C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.218{C64CDE3E-2D41-6227-9907-000000003602}54484244C:\Windows\system32\conhost.exe{C64CDE3E-2D47-6227-A007-000000003602}6796C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.180{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.180{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.180{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.180{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.180{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2D47-6227-A007-000000003602}6796C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.180{C64CDE3E-2D41-6227-9807-000000003602}23606424C:\Windows\system32\cmd.exe{C64CDE3E-2D47-6227-A007-000000003602}6796C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.192{C64CDE3E-2D47-6227-A007-000000003602}6796C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.133{C64CDE3E-2D41-6227-9907-000000003602}54484244C:\Windows\system32\conhost.exe{C64CDE3E-2D47-6227-9F07-000000003602}6360C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.133{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.133{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.133{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.133{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.133{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2D47-6227-9F07-000000003602}6360C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.133{C64CDE3E-2D41-6227-9807-000000003602}23606424C:\Windows\system32\cmd.exe{C64CDE3E-2D47-6227-9F07-000000003602}6360C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.141{C64CDE3E-2D47-6227-9F07-000000003602}6360C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.095{C64CDE3E-2D41-6227-9907-000000003602}54484244C:\Windows\system32\conhost.exe{C64CDE3E-2D47-6227-9E07-000000003602}1552C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.095{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.095{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.095{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.095{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.095{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2D47-6227-9E07-000000003602}1552C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.095{C64CDE3E-2D41-6227-9807-000000003602}23606424C:\Windows\system32\cmd.exe{C64CDE3E-2D47-6227-9E07-000000003602}1552C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.100{C64CDE3E-2D47-6227-9E07-000000003602}1552C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.995{C64CDE3E-2D41-6227-9907-000000003602}54484244C:\Windows\system32\conhost.exe{C64CDE3E-2D47-6227-9D07-000000003602}6760C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.995{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.995{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.995{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.995{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.995{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2D47-6227-9D07-000000003602}6760C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:42.995{C64CDE3E-2D41-6227-9807-000000003602}23606424C:\Windows\system32\cmd.exe{C64CDE3E-2D47-6227-9D07-000000003602}6760C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:43.002{C64CDE3E-2D47-6227-9D07-000000003602}6760C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000017707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:44.681{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3201D4DCC88816639EE06CA26F94F77,SHA256=A408C2E431F8FA4693B00E7DF7A8680AB8CA9EFD7C10708D3E0822AC0A55E249,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.748{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000033241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:41.724{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51028-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:44.463{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8896F249A78579B13F2B1790C40A7973,SHA256=992E67AAF19BE3FEC2BA5B20ACEFC331EF1116EB917AFDB14DC73CD80E1DBF65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:44.150{DCBFC465-204C-6227-9900-000000003702}3048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:45.697{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B6532A07373DE0C6469EE9C01E9AAD0,SHA256=3B76A67D9027ADBF52B6A03AAFF272E1C8BE92529EEE4E9D7C5DC58343FFCC40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:45.835{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C44C36599DFCBDB104FAA39FDC882FA,SHA256=41C0E177C3A944C8DC4212B7D85320008B012AA706AC50C5523BA90FF90EE4A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:43.387{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50361-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000017708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:43.293{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50360-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:46.881{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A58FD08CB34E1DE5718AEC92DDC5A44,SHA256=843C5E5960DE0FD8A0B333EBC9FCE0765A6454175F9BBD240B3F350F30F8FAF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:46.702{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5925540DFAAF6767588F35EE7518CC9,SHA256=A8DA0C1E4BF2C616E68C89BE98DFA8F6708A579E991065804FF3E14E9B954573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:47.896{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC334A295AC47E206B7EC8423159B62,SHA256=334B3E808BE0436236FF6D1197E3AA69FCD23ECF9134A7424205C458F5746A57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:47.717{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA7F5697F0E363485FCFB0FC2EB3E9E3,SHA256=84F8FEE9D4E6C4ED0F75689D0B0944E4CC9E51FA39E8B549A11304DF2106BA00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:48.933{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86AFBD9D97A2C929DCB74B2C1B8496F,SHA256=3248074420BAD6EB657A5BB7BA1ABF965B125CF6CE1ABB32CC9897F6F6C96935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:48.733{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BDF8678E6D6D332A074F38ACCD2CEB7,SHA256=AC893DC91CECE033E81070DA31EAB23EA23D435994FA50A1B445F8666F662C52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:48.217{DCBFC465-204C-6227-9900-000000003702}3048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=F2BFBCC4277D312BCAE8551BB388C850,SHA256=C86F101DF112ED4BCE23C01BD5E80EF5CE3718C9737DE24CC0901BDF5CF0A160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:48.217{DCBFC465-204C-6227-9900-000000003702}3048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=EEDC9FF5E7F2D31913516146FAE86984,SHA256=C6F32341DCDE294EC4991D149566D83CE3797A32BA440A8045E1A87E17F1B7DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:48.217{DCBFC465-204C-6227-9900-000000003702}3048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=7657411E92B17ADBBD955B4BCD36DE67,SHA256=7703B0A9147988CAC10DB625BE725FBA67D72DFB0B2FF0532C6BC0AD67F6166F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:49.733{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA980DEBB7886369105C881A5A92768,SHA256=B223EBA727392EA67EAF65E8782F980B5BAE27DE48BD702584CE94F675AA293D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:49.948{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107521E16D44B841A75B93EA836831D5,SHA256=190CAF7D6403FA7AEA35548B5A480B0B9088622D7EE7E8BE76F7CD663C2B256D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:46.739{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51029-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:50.764{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=540C13AE98280830F44571779E07F39E,SHA256=44341CEF3F7C814C53D10BB2F347B4BBA85B55D3E654BDC1978C7D5718D05834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.963{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD43619AE29494ABED9886B14C55BCA,SHA256=DB503CAC6B2C889E62DC022442F30FC262AF2032E53B104C6B4B87CD24D0941F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.912{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BAA24162BC4C8970883FE632A4AF810,SHA256=4543990E61FCD418D62B82D1DF3EE30704165AD9F68684DEE4D6B9E16CEC1EAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.879{C64CDE3E-2D41-6227-9907-000000003602}54484244C:\Windows\system32\conhost.exe{C64CDE3E-2D4E-6227-A907-000000003602}6896C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.863{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.863{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.863{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.863{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.863{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2D4E-6227-A907-000000003602}6896C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.863{C64CDE3E-2D41-6227-9807-000000003602}23606424C:\Windows\system32\cmd.exe{C64CDE3E-2D4E-6227-A907-000000003602}6896C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.874{C64CDE3E-2D4E-6227-A907-000000003602}6896C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v shutdownwithoutlogon /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.832{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.832{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.832{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.832{C64CDE3E-2D41-6227-9907-000000003602}54484244C:\Windows\system32\conhost.exe{C64CDE3E-2D4E-6227-A807-000000003602}2248C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.816{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.816{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2D4E-6227-A807-000000003602}2248C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.816{C64CDE3E-2D41-6227-9807-000000003602}23606424C:\Windows\system32\cmd.exe{C64CDE3E-2D4E-6227-A807-000000003602}2248C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.831{C64CDE3E-2D4E-6227-A807-000000003602}2248C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.779{C64CDE3E-2D41-6227-9907-000000003602}54484244C:\Windows\system32\conhost.exe{C64CDE3E-2D4E-6227-A707-000000003602}6660C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.779{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.779{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.779{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.779{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.779{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2D4E-6227-A707-000000003602}6660C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.779{C64CDE3E-2D41-6227-9807-000000003602}23606424C:\Windows\system32\cmd.exe{C64CDE3E-2D4E-6227-A707-000000003602}6660C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.784{C64CDE3E-2D4E-6227-A707-000000003602}6660C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.747{C64CDE3E-2D41-6227-9907-000000003602}54484244C:\Windows\system32\conhost.exe{C64CDE3E-2D4E-6227-A607-000000003602}6900C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.747{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2D4E-6227-A607-000000003602}6900C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.747{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.747{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.747{C64CDE3E-2D41-6227-9807-000000003602}23606424C:\Windows\system32\cmd.exe{C64CDE3E-2D4E-6227-A607-000000003602}6900C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.747{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.747{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.757{C64CDE3E-2D4E-6227-A607-000000003602}6900C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.679{C64CDE3E-2D41-6227-9907-000000003602}54484244C:\Windows\system32\conhost.exe{C64CDE3E-2D4E-6227-A507-000000003602}6880C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.647{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2D4E-6227-A507-000000003602}6880C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.647{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.647{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.647{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.647{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.647{C64CDE3E-2D41-6227-9807-000000003602}23606424C:\Windows\system32\cmd.exe{C64CDE3E-2D4E-6227-A507-000000003602}6880C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.661{C64CDE3E-2D4E-6227-A507-000000003602}6880C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.632{C64CDE3E-2D41-6227-9907-000000003602}54484244C:\Windows\system32\conhost.exe{C64CDE3E-2D4E-6227-A407-000000003602}6904C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.579{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2D4E-6227-A407-000000003602}6904C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.579{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.579{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.579{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.579{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.579{C64CDE3E-2D41-6227-9807-000000003602}23606424C:\Windows\system32\cmd.exe{C64CDE3E-2D4E-6227-A407-000000003602}6904C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.591{C64CDE3E-2D4E-6227-A407-000000003602}6904C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.516{C64CDE3E-2D41-6227-9907-000000003602}54484244C:\Windows\system32\conhost.exe{C64CDE3E-2D4E-6227-A307-000000003602}5588C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.516{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.516{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.516{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.516{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.516{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2D4E-6227-A307-000000003602}5588C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.516{C64CDE3E-2D41-6227-9807-000000003602}23606424C:\Windows\system32\cmd.exe{C64CDE3E-2D4E-6227-A307-000000003602}5588C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.522{C64CDE3E-2D4E-6227-A307-000000003602}5588C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.514{C64CDE3E-2D41-6227-9907-000000003602}54484244C:\Windows\system32\conhost.exe{C64CDE3E-2D4E-6227-A207-000000003602}4540C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.512{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.512{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.512{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.512{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.511{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2D4E-6227-A207-000000003602}4540C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.511{C64CDE3E-2D41-6227-9807-000000003602}23606424C:\Windows\system32\cmd.exe{C64CDE3E-2D4E-6227-A207-000000003602}4540C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:50.511{C64CDE3E-2D4E-6227-A207-000000003602}4540C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000017719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:51.983{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F1FF37D8EAF4ADA14B2AC1547EDB482,SHA256=42A1F76234D02750DF69F0E6E96B422C8A5D02135900B40BB6750DFAA5E26C7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:51.993{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B38EE9E1328DE16E6E5085A13FD4966,SHA256=89C32A8E798A9D1A612A14117DCAD3FE6B670EEF38D481B430E3451C5191AE9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:51.531{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E666AC47C82293667DF232270AB4E737,SHA256=6E5D9658DB1D18D0E98BD3AA9C2F5611AD046A22838844441B0BDFB96F3260B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:51.531{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D9CF6E9745356088618E1456D91D7BA,SHA256=8652F686947F2FB1F8EB784090868166622138298EBD3D2BB9E493C6FF9D36F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:49.329{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50362-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:52.877{C64CDE3E-1CE6-6227-1000-000000003602}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5DCD95D9CEAD4715D4B8022FE08B1272,SHA256=E77983DDE70DCE484456E7796A7D62FB4C2932CE16EADF0F4EABD15AD8D5600A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:52.493{C64CDE3E-1CE6-6227-1600-000000003602}12966304C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:52.493{C64CDE3E-1CE6-6227-1600-000000003602}12966304C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:53.217{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40179914B9FC0180891281D6E725E728,SHA256=850BC566757E7792F1FB1DEAE36C3AB36D8F3D28A1FC00D65F215B6F73F15EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:53.030{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6937C2C7B9DD38E41E4DB36BEAAEC1FD,SHA256=0262D4AF46A24DB96E47D445C236354E982C68CA2499717FDE4BB865461DC164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:54.452{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07F73DD8D3836C4D9839B3EA9061C4A,SHA256=EF77BC65EEA0EB0A1A74E980443707C9666E29298B6266F2F207A28D3BA47207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:54.195{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\respondent-20220308090810-067MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:54.061{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBEA0102D4772000C221C5F0E4E6AF4,SHA256=2ABEFD7F5FC1FC39ECC8586AB837B08E4EB96ED8045179E07E87C835EA2D6BB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:55.623{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C23248BE0A59AC19D751DD148EC8BB,SHA256=2C0DA47EE384E9D747DE5FCB011624714856273F7C4A6AC404B0D0186A1CFCD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:52.736{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51030-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:55.210{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\surveyor-20220308090808-068MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:55.077{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49791B7028D747638471873049241E44,SHA256=727D090DB39EE86645A5A64AAF1720F3160A6261071F992D42C6234B135577EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:56.764{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21020A720CB8E876AFF9E5F00E3A5A79,SHA256=36DA67B2519FCD6C07FBD73CF2941E256FF28C384CE3CB1D85F795ED3B79ECAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:56.862{C64CDE3E-1CF7-6227-2B00-000000003602}2896NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:56.293{C64CDE3E-1CE4-6227-0B00-000000003602}612660C:\Windows\system32\lsass.exe{C64CDE3E-1CE1-6227-0100-000000003602}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x800000000000000033357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:56.130{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD1361EFFF83516B7FFAB30F372E645C,SHA256=B3100ED31D903516A1F6D5F044215FB41C89BFBD35694447784C328D16DECF1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:54.454{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50363-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:57.780{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E071EAF84E7B1889D7D544290A86096,SHA256=A478E2DB208F0248C364601E8E1D47273C78AC8CF6162F46BE47A24EADA4081B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:54.883{C64CDE3E-1CE1-6227-0100-000000003602}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51031-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local445microsoft-ds 354300x800000000000000033363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:54.883{C64CDE3E-1CE1-6227-0100-000000003602}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51031-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local445microsoft-ds 23542300x800000000000000033362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:57.313{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=867FC775D42611645FF8754B40F8767E,SHA256=B018BE9BA9B8B6E05AAAA6513112A8048DCA332C9E7A08770A649F852717D065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:57.311{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E666AC47C82293667DF232270AB4E737,SHA256=6E5D9658DB1D18D0E98BD3AA9C2F5611AD046A22838844441B0BDFB96F3260B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:57.130{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D14FC51B875D47066434AC21888269B,SHA256=38335BDFCC856CDBE9203B97BEB3F378E24D2AA0DB80B0D007A6853B3AA3F8E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:58.780{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=661278F4E54B30FBE94B7BEA2A6BB2DA,SHA256=FFB9B6A40C2307EE6FD3E562B64E75C492F6F20F2F7E52600138E24916CD30AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:58.146{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC01E9BCAC203FE97F76447860CD2688,SHA256=12770ABC883630D789A19479F331790E0E8118F40BE2861DCAF65C85885958D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:17:59.795{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE3AAC2E3D3760B7F1F2B867B784C342,SHA256=16F7708D44DF8B5E0C13F553F33C02963DA28CB3B629DD27F59FCAD486CFE546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:59.160{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A882652A2C087BB97A863EA96E391C4,SHA256=00E52DDBBAA3A58D2BF00691329EA5837D55AB10E1742356B5D8EB5BB3B3620E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:55.436{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51032-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000017729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:00.811{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=727309805138748AAACD8B5E2DF59E20,SHA256=647F5647A85F4265FF61244EA79C8F6A8084CE8BD68CEE458B7F49237BBD1D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:00.166{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFC238A870A1E1190FD3AC89D01C4532,SHA256=EEF2BC27EA73E23C648E1725971E3398B8FD3573A92DBC2BF217837A64059E8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:01.816{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD52DACA271D3B9EE47CD5D762F51772,SHA256=1FFC1CFA358C1BF2124790FB6B05161DEBE9A93F24595F9E679ABAF0EDF14161,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:01.950{C64CDE3E-2013-6227-1602-000000003602}17405104C:\Windows\Explorer.EXE{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:01.950{C64CDE3E-2013-6227-1602-000000003602}17405104C:\Windows\Explorer.EXE{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:01.950{C64CDE3E-2013-6227-1602-000000003602}17405104C:\Windows\Explorer.EXE{C64CDE3E-2D41-6227-9807-000000003602}2360C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:01.950{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D41-6227-9907-000000003602}5448C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:01.950{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D41-6227-9907-000000003602}5448C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:01.950{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D41-6227-9907-000000003602}5448C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:01.950{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D41-6227-9907-000000003602}5448C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:01.197{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=944EC0334903E487D00B658D14ED2A3F,SHA256=90DC24AEA7D3AC3B9AE80BC18B28546DBBEE5614177F2963A6E370E64CEB3D72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:01.565{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\respondent-20220308092036-055MD5=AD989BA5FC8211C68DEB145594DF29B5,SHA256=A92C9E9F939B5FA1DAF2D9D45D4066E44A16133766F98754DF452EC8E38921ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:02.817{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5580C7B2839EDD651156FCC36B26876,SHA256=D516826CCC01D3130FBB32CA08780B20A81BEA6E66723B49F3B6D0B092C8225E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:02.917{C64CDE3E-2013-6227-1602-000000003602}17405104C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:02.917{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:02.917{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:02.234{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71CCAC948076611F06FC563C581DE1DA,SHA256=1F18C7DA8CEF842A2371A86819DD2F83502A6BE457913DAF5FE416ACE78EDEC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:02.567{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\surveyor-20220308092033-056MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:17:58.756{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51033-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:03.819{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B040747F625CC9F01D7E1A35A9BA9F69,SHA256=5F14506F161043D44468C058EA27979FD6D8B73F5C6743CCCDF6E6B86DA43725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:03.264{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3A8439B0EF75CAC7D6451CECDE4786,SHA256=E12E2C5ACE5DF581CF5260660527735F9FDC9802E8A4A1553E1F43D9F824C706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:03.049{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\permissions.sqlite-journalMD5=114BDBFB07F9C0829254F257DCB03F92,SHA256=05D0C997FF06E3CBBCE06672E30CFD9767CE99B757F93BC287F3DA9A0AE06EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:04.819{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C27F50B24F8B620E41F5465BAAAF34E7,SHA256=131FFD2D2AD3592BFFF5AF30F76321E7412DC4CC483B0AA6AFB345F06D000945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:04.279{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D5289F013E753D66B8679D502BBE577,SHA256=43418B991C02A91B2BBF5F3725243B5DF8D4148FADA3A3E6FFF67EA245FAC2CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:00.299{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50364-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:05.819{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=221E864AC1105F27F5638D32B026D398,SHA256=CBE358468AF488F7770684F4908BE399D30B57E2B8D6C8258A079D85E73682F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:05.316{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3686653E6622F3332300889E79F26DB,SHA256=C07296A7FD26B576003A653CA289951B71D772AE0B709318562EF30BDA84CE18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:06.830{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7BEDDE60C1C1F23E95AF3C2A998109F,SHA256=0596B21C657EDB0EDC92E6D77C2EA791B9095FCF730800BF87B14CE07A71F6A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:06.331{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01D03337D0D60E020DF985A1F58B4404,SHA256=DE63FA2AE7D66C0248170CC7A6E4C2947B55DCEB51D2B2E11AEC897F6C6097E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:07.846{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5B6A61E67F596B8C891DBE6DADF205E,SHA256=445C4D3ACA182C43033B1AF37B9EC212E34889FB4521CABB73035EF8B08ED203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:07.393{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E9075BB861B42D196581FA06A895E60,SHA256=27A5202E296EF2A327340AD959DEF9F73D66659A7C6A34059DEA84250CAB5171,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:05.352{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50365-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:08.862{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DBA1B64F096604EEA51A485027D2631,SHA256=10B8F5CD2B37E1E23917E9C8E8152C344AC61135583D20A620375E4AAA9ECF58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:08.412{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529B4B458C8D14B02AE9ACC45EB2FD93,SHA256=D574047BA2BC4BFEDE802B222D5814B3A3CDCEBA82E1A8834038311600AB8808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:08.061{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA3EA5EF9C12BF0E19F80F1BB498BE78,SHA256=37212DB46CA51B0CCFEAA82793FF4A7DD4B67759B91F9533A557760F9B5A4C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:08.061{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=867FC775D42611645FF8754B40F8767E,SHA256=B018BE9BA9B8B6E05AAAA6513112A8048DCA332C9E7A08770A649F852717D065,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:04.799{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51034-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:09.877{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22533A44817C56C6CA130302CAACA464,SHA256=E7BCAE5FCE1E2871FC349447672E8E4220D097AAA983BD23D0B702E1537E8B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:09.429{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB54F589EA329E16AD7AED3E50BD74D5,SHA256=67C677277BD8DB83CD5BD8D17A3CB04DD7E565FC658DE7350E9CC3F8EA0095EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:10.893{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B8029EBEB87C61B16AFEEB78C8C577,SHA256=A3F7415C7EE1CACA7F11B5DDF75DA01EB4A136187C74AC113A45894F004CDA9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:10.460{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2A41064001B4D345B0CFB6696F3F5BF,SHA256=0E8A7A34F557741CA1C1934D194746F1DF24B1828E97C1B1EFD0CB45322143E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:11.908{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A0CB99261CE529F4461774188449B2A,SHA256=2921C55EC71EC11F63D08ACA7AA895E03A825C14F7EAAE9356D51D8D533F8B9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:11.676{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:11.676{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:11.491{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C7922050925E1168DD557F1E6976F2,SHA256=50FA9DBB2BB49B3C3244539978A8414D50EBAC25BC3FE30B091F6F7FC04B9A4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:12.924{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A65B23C28E3903869076726E3ACA7D49,SHA256=5D1267C4906FD0D82F9CC7317D168308F69FDEC41BC611EB3D773DAD30A5EB12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:12.510{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008D5AE4B268A4C43A336077D092B4A0,SHA256=5A452C44A551B1DA254BBE8010B984ED44987FD3A7796662B5604BD313493C83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:13.924{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A391CF12D2EFF02CDD3458C95477CB3,SHA256=7501A77159D851DF8AC48BBF7358E26EAA0C63DB8C98641375A63D2EAF4FFB22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:13.528{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D5A7D019842FAC4856BF6851FA44032,SHA256=15594885E63CC5463DDA9933581EF2E604A98CDF0FB4AF971B82378DAEB1F339,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:10.411{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50366-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000033398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:10.633{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51035-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:14.924{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC91EF8D922C7626DC949914167EA177,SHA256=3B29A7674FF19B59E7C46FC520637B6A8570B47AC400B9EFFDAC9DDABF3F1C71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:14.559{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=650BA811D107E980D0B6E75CB38C35F2,SHA256=B5952D0AF02C39AA2ADA39335C5C63AE60BADE3AF12B65BD720B67AFE0B68A80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:14.390{C64CDE3E-2013-6227-1602-000000003602}17405104C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:14.390{C64CDE3E-2013-6227-1602-000000003602}17405104C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:14.390{C64CDE3E-2013-6227-1602-000000003602}17405104C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:14.390{C64CDE3E-2011-6227-0B02-000000003602}6005036C:\Windows\system32\taskhostw.exe{C64CDE3E-2D66-6227-AB07-000000003602}4216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:14.390{C64CDE3E-2011-6227-0B02-000000003602}6005036C:\Windows\system32\taskhostw.exe{C64CDE3E-2D66-6227-AB07-000000003602}4216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:14.374{C64CDE3E-2013-6227-1602-000000003602}17407076C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:14.374{C64CDE3E-2013-6227-1602-000000003602}17407076C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:14.374{C64CDE3E-2013-6227-1602-000000003602}17407076C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:14.374{C64CDE3E-2013-6227-1602-000000003602}17407076C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:14.359{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AB07-000000003602}4216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:14.359{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AB07-000000003602}4216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:14.359{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AB07-000000003602}4216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:14.359{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AB07-000000003602}4216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:14.359{C64CDE3E-1CE6-6227-1600-000000003602}12964644C:\Windows\system32\svchost.exe{C64CDE3E-2D66-6227-AB07-000000003602}4216C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:14.359{C64CDE3E-1CE6-6227-1600-000000003602}12961336C:\Windows\system32\svchost.exe{C64CDE3E-2D66-6227-AB07-000000003602}4216C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:14.343{C64CDE3E-2D66-6227-AB07-000000003602}42166676C:\Windows\system32\conhost.exe{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:14.343{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2D66-6227-AB07-000000003602}4216C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:14.327{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:14.327{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:14.327{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:14.327{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:14.327{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:14.327{C64CDE3E-2013-6227-1602-000000003602}17404612C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a90ff|C:\Windows\System32\windows.storage.dll+a8d75|C:\Windows\System32\windows.storage.dll+a8866|C:\Windows\System32\windows.storage.dll+a9cd8|C:\Windows\System32\windows.storage.dll+a868e|C:\Windows\System32\windows.storage.dll+ab4a5|C:\Windows\System32\windows.storage.dll+ab824|C:\Windows\System32\windows.storage.dll+204ad4|C:\Windows\System32\windows.storage.dll+ad68a|C:\Windows\System32\windows.storage.dll+ad442|C:\Windows\System32\SHELL32.dll+3fa6d|C:\Windows\System32\SHELL32.dll+3e606|C:\Windows\System32\SHELL32.dll+80381|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHELL32.dll+1758c0|C:\Windows\System32\SHELL32.dll+17c35c|C:\Windows\System32\SHELL32.dll+19eb28|C:\Windows\System32\SHELL32.dll+17c4f6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x800000000000000033400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:14.337{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Temp"C:\Windows\system32\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000017749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:15.940{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=180C5E45F9695497D7CB71073A89B453,SHA256=D83C9F81460DBB9CA4B66719C4814E7A7794F8CED9CE561D300FDF1E5B994D3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:15.890{C64CDE3E-2013-6227-1602-000000003602}17405360C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801508D8FD8)|UNKNOWN(FFFFF994344A5B68)|UNKNOWN(FFFFF994344A5CE7)|UNKNOWN(FFFFF994344A0371)|UNKNOWN(FFFFF994344A1D3A)|UNKNOWN(FFFFF9943449FFF6)|UNKNOWN(FFFFF801505F0503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000033429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:15.890{C64CDE3E-2013-6227-1602-000000003602}17405360C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801508D8FD8)|UNKNOWN(FFFFF994344A5B68)|UNKNOWN(FFFFF994344A5CE7)|UNKNOWN(FFFFF994344A0371)|UNKNOWN(FFFFF994344A1D3A)|UNKNOWN(FFFFF9943449FFF6)|UNKNOWN(FFFFF801505F0503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:15.890{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF408c3b.TMPMD5=12AD5ED581403AA28FB3F9BE5BFCC757,SHA256=F150127F51FCFD124CD07316BD6D0CE80AB1CB9DF7C8B4C58EC253E92D990A20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:15.559{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DDB416818C36A26B6008F976F492CF,SHA256=E721BB1E774736353B8E35156C3A2B5D38568C95F6E75CA16D0BF0BE89A050FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:15.328{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=831DFD5A9BB1E18431A494F1CD30BF45,SHA256=BD9C14FFC597D54DB4DE96CC82020507FEB8A5F4A7F31BA2A629B642A453AD93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:15.328{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA3EA5EF9C12BF0E19F80F1BB498BE78,SHA256=37212DB46CA51B0CCFEAA82793FF4A7DD4B67759B91F9533A557760F9B5A4C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:16.940{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC4074A7263CF593D371E46CC36B310,SHA256=360B581B3A176E38D8632B4C44361B9D5FF4F1FE6E5ABDCFF2B55B6C42EC45ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.926{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EECB312C70FF90A10DA936D3A98E6D84,SHA256=842670770C55A4DB3DC27E4908363C2CFA1DB8809C5D1A5556859956ADEB1E4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.873{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.873{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.873{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.873{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.873{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2D68-6227-B107-000000003602}6152C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.873{C64CDE3E-2D66-6227-AA07-000000003602}69166680C:\Windows\system32\cmd.exe{C64CDE3E-2D68-6227-B107-000000003602}6152C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.887{C64CDE3E-2D68-6227-B107-000000003602}6152C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.873{C64CDE3E-2D66-6227-AB07-000000003602}42166676C:\Windows\system32\conhost.exe{C64CDE3E-2D68-6227-B007-000000003602}3376C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.873{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.873{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.873{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.873{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.873{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2D68-6227-B007-000000003602}3376C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.873{C64CDE3E-2D66-6227-AA07-000000003602}69166680C:\Windows\system32\cmd.exe{C64CDE3E-2D68-6227-B007-000000003602}3376C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.876{C64CDE3E-2D68-6227-B007-000000003602}3376C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.858{C64CDE3E-1CE6-6227-0D00-000000003602}8841404C:\Windows\system32\svchost.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.842{C64CDE3E-2D66-6227-AB07-000000003602}42166676C:\Windows\system32\conhost.exe{C64CDE3E-2D68-6227-AF07-000000003602}5488C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.842{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.842{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.842{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.842{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.842{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2D68-6227-AF07-000000003602}5488C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.842{C64CDE3E-2D66-6227-AA07-000000003602}69166680C:\Windows\system32\cmd.exe{C64CDE3E-2D68-6227-AF07-000000003602}5488C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.852{C64CDE3E-2D68-6227-AF07-000000003602}5488C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.842{C64CDE3E-2D66-6227-AB07-000000003602}42166676C:\Windows\system32\conhost.exe{C64CDE3E-2D68-6227-AE07-000000003602}4520C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.842{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.826{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.826{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2D68-6227-AE07-000000003602}4520C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.826{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.826{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.826{C64CDE3E-2D66-6227-AA07-000000003602}69166680C:\Windows\system32\cmd.exe{C64CDE3E-2D68-6227-AE07-000000003602}4520C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.841{C64CDE3E-2D68-6227-AE07-000000003602}4520C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.826{C64CDE3E-2D66-6227-AB07-000000003602}42166676C:\Windows\system32\conhost.exe{C64CDE3E-2D68-6227-AD07-000000003602}5164C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.811{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.811{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.811{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.811{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.811{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2D68-6227-AD07-000000003602}5164C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.811{C64CDE3E-2D66-6227-AA07-000000003602}69166680C:\Windows\system32\cmd.exe{C64CDE3E-2D68-6227-AD07-000000003602}5164C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.824{C64CDE3E-2D68-6227-AD07-000000003602}5164C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.811{C64CDE3E-2D66-6227-AB07-000000003602}42166676C:\Windows\system32\conhost.exe{C64CDE3E-2D68-6227-AC07-000000003602}2584C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.805{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.805{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.789{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.789{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.789{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2D68-6227-AC07-000000003602}2584C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.789{C64CDE3E-2D66-6227-AA07-000000003602}69166680C:\Windows\system32\cmd.exe{C64CDE3E-2D68-6227-AC07-000000003602}2584C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.803{C64CDE3E-2D68-6227-AC07-000000003602}2584C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000033431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:16.589{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91A92F3990FADA5E21FA43763E265251,SHA256=4B91D08D17384C8EFC8665C0EEE43C791CA9DED041CAE61563BEA4584BE95FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:17.955{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A117C888C5DE50188F02C33B317103,SHA256=5A45F3F58B40F56A9FF806A7393266EE1375D1138087A6858B08AE59833FA9C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:17.604{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A11A87A6F1312B09764CED5C4DE16EA,SHA256=45D9069D54B6E1334F61528A2765312B98403DECDD637B3D4C20DDDB4DDFFCBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:17.072{C64CDE3E-2D66-6227-AB07-000000003602}42166676C:\Windows\system32\conhost.exe{C64CDE3E-2D69-6227-B307-000000003602}2336C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:17.057{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2D69-6227-B307-000000003602}2336C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:17.057{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:17.057{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:17.057{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:17.057{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:17.057{C64CDE3E-2D66-6227-AA07-000000003602}69166680C:\Windows\system32\cmd.exe{C64CDE3E-2D69-6227-B307-000000003602}2336C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:17.066{C64CDE3E-2D69-6227-B307-000000003602}2336C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:17.041{C64CDE3E-2D66-6227-AB07-000000003602}42166676C:\Windows\system32\conhost.exe{C64CDE3E-2D69-6227-B207-000000003602}5564C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:17.041{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:17.041{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:17.041{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:17.041{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:17.041{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2D69-6227-B207-000000003602}5564C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:17.041{C64CDE3E-2D66-6227-AA07-000000003602}69166680C:\Windows\system32\cmd.exe{C64CDE3E-2D69-6227-B207-000000003602}5564C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:17.051{C64CDE3E-2D69-6227-B207-000000003602}5564C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:17.031{C64CDE3E-2D66-6227-AB07-000000003602}42166676C:\Windows\system32\conhost.exe{C64CDE3E-2D68-6227-B107-000000003602}6152C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:18.971{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E90CD69EA7506C09EE5ACA6A3D20084,SHA256=8C4693220613262305E382B4AA15A188CCBCA169F0AB8BE177510E4519FD2BF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.659{C64CDE3E-2D66-6227-AB07-000000003602}42166676C:\Windows\system32\conhost.exe{C64CDE3E-2D6A-6227-BB07-000000003602}5696C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.643{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.643{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.643{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.643{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.643{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2D6A-6227-BB07-000000003602}5696C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.643{C64CDE3E-2D66-6227-AA07-000000003602}69166680C:\Windows\system32\cmd.exe{C64CDE3E-2D6A-6227-BB07-000000003602}5696C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.656{C64CDE3E-2D6A-6227-BB07-000000003602}5696C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v shutdownwithoutlogon /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.643{C64CDE3E-2D66-6227-AB07-000000003602}42166676C:\Windows\system32\conhost.exe{C64CDE3E-2D6A-6227-BA07-000000003602}6656C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.621{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2D6A-6227-BA07-000000003602}6656C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.621{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.621{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.621{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.621{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.621{C64CDE3E-2D66-6227-AA07-000000003602}69166680C:\Windows\system32\cmd.exe{C64CDE3E-2D6A-6227-BA07-000000003602}6656C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.633{C64CDE3E-2D6A-6227-BA07-000000003602}6656C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.606{C64CDE3E-2D66-6227-AB07-000000003602}42166676C:\Windows\system32\conhost.exe{C64CDE3E-2D6A-6227-B907-000000003602}3948C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.589{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.589{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.589{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.589{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.589{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2D6A-6227-B907-000000003602}3948C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.589{C64CDE3E-2D66-6227-AA07-000000003602}69166680C:\Windows\system32\cmd.exe{C64CDE3E-2D6A-6227-B907-000000003602}3948C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.604{C64CDE3E-2D6A-6227-B907-000000003602}3948C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.574{C64CDE3E-2D66-6227-AB07-000000003602}42166676C:\Windows\system32\conhost.exe{C64CDE3E-2D6A-6227-B807-000000003602}6624C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.474{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.474{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.474{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.474{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.474{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2D6A-6227-B807-000000003602}6624C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.474{C64CDE3E-2D66-6227-AA07-000000003602}69166680C:\Windows\system32\cmd.exe{C64CDE3E-2D6A-6227-B807-000000003602}6624C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.482{C64CDE3E-2D6A-6227-B807-000000003602}6624C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.374{C64CDE3E-2D66-6227-AB07-000000003602}42166676C:\Windows\system32\conhost.exe{C64CDE3E-2D6A-6227-B707-000000003602}7060C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.374{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.374{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.374{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.374{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.374{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2D6A-6227-B707-000000003602}7060C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.374{C64CDE3E-2D66-6227-AA07-000000003602}69166680C:\Windows\system32\cmd.exe{C64CDE3E-2D6A-6227-B707-000000003602}7060C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.380{C64CDE3E-2D6A-6227-B707-000000003602}7060C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.358{C64CDE3E-2D66-6227-AB07-000000003602}42166676C:\Windows\system32\conhost.exe{C64CDE3E-2D6A-6227-B607-000000003602}3080C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.358{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.358{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.358{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.358{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.358{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2D6A-6227-B607-000000003602}3080C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.358{C64CDE3E-2D66-6227-AA07-000000003602}69166680C:\Windows\system32\cmd.exe{C64CDE3E-2D6A-6227-B607-000000003602}3080C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.365{C64CDE3E-2D6A-6227-B607-000000003602}3080C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.343{C64CDE3E-2D66-6227-AB07-000000003602}42166676C:\Windows\system32\conhost.exe{C64CDE3E-2D6A-6227-B507-000000003602}6752C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.343{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.343{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.343{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.343{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.343{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2D6A-6227-B507-000000003602}6752C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.343{C64CDE3E-2D66-6227-AA07-000000003602}69166680C:\Windows\system32\cmd.exe{C64CDE3E-2D6A-6227-B507-000000003602}6752C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.351{C64CDE3E-2D6A-6227-B507-000000003602}6752C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000033507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.341{C64CDE3E-2D66-6227-AB07-000000003602}42166676C:\Windows\system32\conhost.exe{C64CDE3E-2D6A-6227-B407-000000003602}6408C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.338{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.338{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.338{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.338{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.337{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2D6A-6227-B407-000000003602}6408C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.337{C64CDE3E-2D66-6227-AA07-000000003602}69166680C:\Windows\system32\cmd.exe{C64CDE3E-2D6A-6227-B407-000000003602}6408C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.337{C64CDE3E-2D6A-6227-B407-000000003602}6408C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000033499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:18.005{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=831DFD5A9BB1E18431A494F1CD30BF45,SHA256=BD9C14FFC597D54DB4DE96CC82020507FEB8A5F4A7F31BA2A629B642A453AD93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:19.971{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D2455985900FB54CAE9FE3D74F25D9,SHA256=1E58933D5D24C9CDF1262B2492DCDC4FDF5F529F60EF0BB6862CDE9C5D6C732A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:19.645{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A834913DB644B72F08B615C3340AD484,SHA256=31072C6D2DE1F99E6A1F541655D1B7B58105C05F4BC6E9A1273C949A0A231CEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:15.777{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51036-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:19.345{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1DBB5CA5B2DF2A5199239A68A7FB358,SHA256=163576247CCAC60BAB5EDFB2A3664F2A3DCF42DEC95AE2478EDC06157581EC91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:19.121{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA0B2A7E11217132E8A1459177A0BE7,SHA256=3094B23AD7A1AB7B61530B999BCA796E65FAE71CC3F2DFB747D4DBD1BA45BD34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:20.987{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF7CEBD02A56C3F9D319748CAA6F6FB,SHA256=124053DDD555C7CA74729AAA10CCB1B2DBE6EA61F68B5C55E1CCAE5B8BFE2A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:20.661{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=944DF9AD403CF3ED5B604335BC94AE3C,SHA256=7723F55045D089E387EF58DB37E9427D5951C5A5D7FBB48A770F06C53B4AC13D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:16.426{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50367-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000033575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:20.577{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2D6C-6227-BC07-000000003602}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:20.577{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:20.577{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:20.577{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:20.577{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:20.577{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2D6C-6227-BC07-000000003602}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:20.577{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2D6C-6227-BC07-000000003602}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:20.578{C64CDE3E-2D6C-6227-BC07-000000003602}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:21.987{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=971B758A9FD5E47C1F687FC6D089C535,SHA256=0415E30145C3FC3CA84B1B71E6038B78B821F49054298B660EF1DCF2EE245744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:21.676{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0D49AFFA23DA746A153705499EFE09,SHA256=62FB7B3DCC665716679FEB409729C738EABAA7242A314A8F8E8FEBA6D9A13155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:21.592{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A30E32A4A90E00C8F73AFA85286E5CD4,SHA256=500426FCCAE2DE5A359A13DA6E810B3C793DA5909183FBCEBD0992063B78FAC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:21.423{C64CDE3E-2D6D-6227-BD07-000000003602}67322504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:21.244{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2D6D-6227-BD07-000000003602}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:21.242{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:21.242{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:21.241{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:21.241{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2D6D-6227-BD07-000000003602}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:21.241{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:21.241{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2D6D-6227-BD07-000000003602}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:21.240{C64CDE3E-2D6D-6227-BD07-000000003602}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:22.707{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A996F846ECD6D914C1D7CA9056B413F6,SHA256=131DA79981E4A088BCC311DCBA5BDA7EEAAA7214452DA6F80EC01E41E3F22271,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:22.644{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2D6E-6227-BE07-000000003602}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:22.641{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:22.641{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:22.641{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:22.641{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:22.641{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2D6E-6227-BE07-000000003602}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:22.640{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2D6E-6227-BE07-000000003602}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:22.639{C64CDE3E-2D6E-6227-BE07-000000003602}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:23.723{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A3BC8D963390F0E0564B16DC01C299,SHA256=0BFC4E07AB73A552E4FF142334169B22C2E09AB925AA568A38FF352095345BD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:23.002{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83D35AB859D951238CE9B121FBBB51B8,SHA256=7196312FD610412AEDDDB9F6375EB32439B360347D6C08C45421B97219670187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:23.675{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=371F6FE34E211D9CEF586C7271DBB533,SHA256=E19657E531A588AAC608F36652424A21A9EA61A8F129C0EF0F53088AB7D93EEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:23.575{C64CDE3E-2D6F-6227-BF07-000000003602}47082888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:23.391{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2D6F-6227-BF07-000000003602}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:23.391{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:23.391{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:23.391{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:23.391{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:23.391{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2D6F-6227-BF07-000000003602}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:23.391{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2D6F-6227-BF07-000000003602}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:23.392{C64CDE3E-2D6F-6227-BF07-000000003602}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:24.740{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36239CA7BAB136FD2E78ED081778AEAA,SHA256=765773835A911A6CF79E2F8200F1E032644625CEB71A3FB1FD6CD95729FFBD4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:21.489{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50368-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:24.002{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75D9A4F3D5213FD772A643A128539772,SHA256=112C906A3032B128F15FE4EA799B779B7C03DC18AD82647013995B0AC38A17B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:21.799{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51038-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000033609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:21.728{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51037-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000033608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:21.728{C64CDE3E-1CF7-6227-2800-000000003602}2856C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51037-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 23542300x800000000000000033612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:25.758{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EAD42EA5E2A0D0EDA974ED6F4AF02B9,SHA256=B59F1CCA1C72685DE8C5E9ED52E3167FF8F2E61D1F71BCC2498412FB18A42D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:25.002{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE665A8D2BAB2D37C529E3036B20A38C,SHA256=18B9AAA86D27D06E421F5776B772AA2AED40649861671666F9B5370B6D441D44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.858{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B132F3E2E6F3C540AB1EC9C58DAE50,SHA256=8929F0AEE5EC4AD6DC986FAC233CBD43C2C6ABCB50735593F6C74411163F3298,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.840{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.840{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.839{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.840{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2D72-6227-C107-000000003602}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.838{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.837{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2D72-6227-C107-000000003602}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.836{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2D72-6227-C107-000000003602}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.835{C64CDE3E-2D72-6227-C107-000000003602}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:26.018{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B5F4015D30D88EC14E550AF115E95FB,SHA256=B8A6815CDFE0259AB3F5B814187B6CD61E37AE20650B5BD9D729C3908AE55E9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.640{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E363AC60F2FBD186EDDE4E51499D2C,SHA256=AC50485582E543667A6A644C01B9CD4AE152E8FAACE483B54516C2CECCFAFE69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.637{C64CDE3E-2010-6227-0702-000000003602}26247164C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000033672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.637{C64CDE3E-2010-6227-0702-000000003602}26247164C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000033671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.621{C64CDE3E-2010-6227-0702-000000003602}26246884C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 10341000x800000000000000033670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.542{C64CDE3E-2010-6227-0702-000000003602}26247164C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000033669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.542{C64CDE3E-2010-6227-0702-000000003602}26247164C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000033668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.542{C64CDE3E-2010-6227-0702-000000003602}26242172C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 10341000x800000000000000033667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.542{C64CDE3E-2010-6227-0702-000000003602}26247164C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000033666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.542{C64CDE3E-2010-6227-0702-000000003602}26247164C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000033665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.542{C64CDE3E-2010-6227-0702-000000003602}26245388C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 10341000x800000000000000033664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.542{C64CDE3E-2010-6227-0702-000000003602}26247164C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000033663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.542{C64CDE3E-2010-6227-0702-000000003602}26247164C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000033662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.542{C64CDE3E-2010-6227-0702-000000003602}26246956C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000033661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.542{C64CDE3E-2010-6227-0702-000000003602}26246956C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000033660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.542{C64CDE3E-2010-6227-0702-000000003602}26247164C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000033659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.542{C64CDE3E-2010-6227-0702-000000003602}26246776C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000033658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.542{C64CDE3E-2010-6227-0702-000000003602}26247164C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000033657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.542{C64CDE3E-2010-6227-0702-000000003602}26246776C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000033656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.520{C64CDE3E-2010-6227-0702-000000003602}26246136C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 10341000x800000000000000033655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.505{C64CDE3E-2010-6227-0702-000000003602}26246016C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 10341000x800000000000000033654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.489{C64CDE3E-2010-6227-0702-000000003602}26246016C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 10341000x800000000000000033653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.489{C64CDE3E-2010-6227-0702-000000003602}26246776C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 10341000x800000000000000033652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.442{C64CDE3E-2010-6227-0702-000000003602}26246776C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000033651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.442{C64CDE3E-2010-6227-0702-000000003602}26246776C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000033650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.437{C64CDE3E-2013-6227-1602-000000003602}17403300C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.437{C64CDE3E-2013-6227-1602-000000003602}17403300C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.389{C64CDE3E-2013-6227-1602-000000003602}17405104C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.389{C64CDE3E-2013-6227-1602-000000003602}17405104C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.389{C64CDE3E-2013-6227-1602-000000003602}17405104C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.389{C64CDE3E-2D72-6227-C007-000000003602}44441184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.373{C64CDE3E-1CE4-6227-0B00-000000003602}612816C:\Windows\system32\lsass.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.373{C64CDE3E-2010-6227-0702-000000003602}26246776C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000033642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.373{C64CDE3E-2010-6227-0702-000000003602}26246776C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 10341000x800000000000000033641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.358{C64CDE3E-2013-6227-1602-000000003602}17406092C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000033640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.358{C64CDE3E-2013-6227-1602-000000003602}17406092C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000033639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.358{C64CDE3E-1CE6-6227-0D00-000000003602}884916C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.358{C64CDE3E-1CE6-6227-0D00-000000003602}884916C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.358{C64CDE3E-1CE6-6227-0D00-000000003602}884916C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.358{C64CDE3E-1CE6-6227-0D00-000000003602}884916C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.358{C64CDE3E-1CE6-6227-0D00-000000003602}884916C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.358{C64CDE3E-1CE6-6227-0D00-000000003602}884916C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.358{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.358{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.358{C64CDE3E-1CE6-6227-0C00-000000003602}8242200C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.358{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000033629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.358{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000033628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.358{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000033627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.358{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.358{C64CDE3E-2013-6227-1602-000000003602}17406704C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.358{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.358{C64CDE3E-2013-6227-1602-000000003602}17406704C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.358{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.342{C64CDE3E-2013-6227-1602-000000003602}17406092C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57d45|C:\Windows\System32\TwinUI.dll+37690|C:\Windows\System32\TwinUI.dll+37744|C:\Windows\System32\TwinUI.dll+38acf|C:\Windows\System32\TwinUI.dll+374bd|C:\Windows\System32\TwinUI.dll+36ef1|C:\Windows\System32\TwinUI.dll+3fb470|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 10341000x800000000000000033621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.342{C64CDE3E-2013-6227-1602-000000003602}17406092C:\Windows\Explorer.EXE{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57d45|C:\Windows\System32\TwinUI.dll+376f8|C:\Windows\System32\TwinUI.dll+37731|C:\Windows\System32\TwinUI.dll+38acf|C:\Windows\System32\TwinUI.dll+374bd|C:\Windows\System32\TwinUI.dll+36ef1|C:\Windows\System32\TwinUI.dll+3fb470|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 10341000x800000000000000033620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.158{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2D72-6227-C007-000000003602}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.158{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.158{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.158{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.158{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.158{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2D72-6227-C007-000000003602}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.158{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2D72-6227-C007-000000003602}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:26.159{C64CDE3E-2D72-6227-C007-000000003602}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.974{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=598E1DD4CB97B47ABD10D88667CF0666,SHA256=4EAF47707CA6793B443132D06624DE8CA34D02EB19488E578E450B22E5412823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.974{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E9D6F1157091896E404AFA8BFF1715,SHA256=E9C9B4C22CF3AC6F705D8453B276236E1A1CB2E36AB3B98B1A46FD07D3CF46CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:27.038{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CC19C64E323C14DB9907F2F8287B2FD,SHA256=4E4863206CC0BC472D36AC294F0AF67D2DD21200A6F807422705B46EB72F542D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.705{C64CDE3E-2010-6227-0702-000000003602}26246968C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000033719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.705{C64CDE3E-2010-6227-0702-000000003602}26246968C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000033718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.690{C64CDE3E-2010-6227-0702-000000003602}26245500C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000033717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.690{C64CDE3E-2010-6227-0702-000000003602}26245500C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 10341000x800000000000000033716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.690{C64CDE3E-2013-6227-1602-000000003602}17406092C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000033715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.690{C64CDE3E-2013-6227-1602-000000003602}17406092C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000033714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.674{C64CDE3E-2013-6227-1602-000000003602}17403300C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.674{C64CDE3E-2013-6227-1602-000000003602}17403300C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.659{C64CDE3E-2013-6227-1602-000000003602}17403300C:\Windows\Explorer.EXE{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.659{C64CDE3E-2013-6227-1602-000000003602}17403300C:\Windows\Explorer.EXE{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.659{C64CDE3E-2013-6227-1602-000000003602}17406704C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.659{C64CDE3E-2013-6227-1602-000000003602}17406704C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.505{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2D73-6227-C207-000000003602}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.505{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.505{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.505{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.505{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.505{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2D73-6227-C207-000000003602}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.505{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2D73-6227-C207-000000003602}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.506{C64CDE3E-2D73-6227-C207-000000003602}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.237{C64CDE3E-2010-6227-0702-000000003602}26245500C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca 10341000x800000000000000033699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.237{C64CDE3E-2010-6227-0702-000000003602}26245500C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca 10341000x800000000000000033698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.221{C64CDE3E-2010-6227-0702-000000003602}26246968C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca 10341000x800000000000000033697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.221{C64CDE3E-2010-6227-0702-000000003602}26245864C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\System32\windows.storage.dll+b7e0d|C:\Windows\System32\windows.storage.dll+2a3ecd|C:\Windows\System32\windows.storage.dll+14d4c3|C:\Windows\System32\windows.storage.dll+14d53a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000033696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.221{C64CDE3E-2010-6227-0702-000000003602}26245864C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\System32\windows.storage.dll+b7e0d|C:\Windows\System32\windows.storage.dll+2ca762|C:\Windows\System32\windows.storage.dll+e3ba5|C:\Windows\System32\windows.storage.dll+14cda6|C:\Windows\System32\windows.storage.dll+2a3e2f|C:\Windows\System32\windows.storage.dll+14d4c3|C:\Windows\System32\windows.storage.dll+14d53a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426 10341000x800000000000000033695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.206{C64CDE3E-2010-6227-0702-000000003602}26245864C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\System32\windows.storage.dll+b7e0d|C:\Windows\System32\windows.storage.dll+df713|C:\Windows\System32\windows.storage.dll+dee81|C:\Windows\System32\windows.storage.dll+ded95|C:\Windows\System32\windows.storage.dll+ded2e|C:\Windows\System32\windows.storage.dll+5bad9|C:\Windows\System32\windows.storage.dll+13a3b6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426 10341000x800000000000000033694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.206{C64CDE3E-2010-6227-0702-000000003602}26245864C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\System32\windows.storage.dll+b7e0d|C:\Windows\System32\windows.storage.dll+e1f13|C:\Windows\System32\windows.storage.dll+5b950|C:\Windows\System32\windows.storage.dll+5b8a7|C:\Windows\System32\windows.storage.dll+5ba77|C:\Windows\System32\windows.storage.dll+13a3b6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda 10341000x800000000000000033693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.206{C64CDE3E-2010-6227-0702-000000003602}26245864C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\System32\windows.storage.dll+b7e0d|C:\Windows\System32\windows.storage.dll+e3ca7|C:\Windows\System32\windows.storage.dll+13a475|C:\Windows\System32\windows.storage.dll+13a398|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000033692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.206{C64CDE3E-2010-6227-0702-000000003602}26245864C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\System32\windows.storage.dll+b7e0d|C:\Windows\System32\windows.storage.dll+13a449|C:\Windows\System32\windows.storage.dll+13a398|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e4ffc 10341000x800000000000000033691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.206{C64CDE3E-2010-6227-0702-000000003602}26246968C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\System32\windows.storage.dll+b7e0d|C:\Windows\System32\windows.storage.dll+b7f88|C:\Windows\System32\windows.storage.dll+1a2cf9|C:\Windows\System32\windows.storage.dll+1a2b55|C:\Windows\System32\windows.storage.dll+b8ce6|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 10341000x800000000000000033690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.206{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.206{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.159{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8885A4657402A875E1CB8CCAA419C50B,SHA256=879B9FF1A0D8AB1E129E1577222269F417F5D9CCBAA6CB1AB656FB01E22FE2C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.042{C64CDE3E-2D72-6227-C107-000000003602}63322248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.006{C64CDE3E-2010-6227-0702-000000003602}26247164C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000033685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.006{C64CDE3E-2010-6227-0702-000000003602}26247164C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000033684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.006{C64CDE3E-2010-6227-0702-000000003602}26246968C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 23542300x800000000000000033727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:28.975{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F91CFE4A78A17C2A1A4BF81C57486A,SHA256=57CC2F7250CCA33353C4079289DCFEFE5B4FAF331ED0163B31AC5DCA26C300D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:28.054{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3088BC33F646ABFE44A669FEEA8ABCE,SHA256=8E7564B415E3725341FB683954DBBECEBC9EF3C1B7809D841D8F39EC58D08EF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:28.541{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DF8128F64D0B014B046B8622D2AB46E,SHA256=315D251DE5C3712C8FC2BEB13DC617C58E5193159204722FDA85CDEF65495361,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:28.075{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:28.075{C64CDE3E-2013-6227-1602-000000003602}17403300C:\Windows\Explorer.EXE{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:28.075{C64CDE3E-2013-6227-1602-000000003602}17403300C:\Windows\Explorer.EXE{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:29.989{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306D2A30B5BCF5DB92E4A1F64335C86A,SHA256=69A2654AF91263E0B0E6D250296AC246E06052B52C5C8974AFA9DC540B75CE35,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:27.478{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50369-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:29.069{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A421FB43486459DC39E202C057DA63CF,SHA256=400506BBC0BB23C05EF44450A7E6CC793FCA955B8B77339FDE0B828CE63EAE64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:30.069{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B4E59FCDDBB2B533EA7DF9594C61EE,SHA256=862BE64CCC0A2AAACFC2BA4F8FE9C17BE28DCF881D86573A6686988C30F6CE4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:27.650{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51039-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:31.004{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D4A108DA74C91BE959497D9B6BF5038,SHA256=032F169BFBCB5EC141A177E40E13DAA81E5947A7BCFC37335B1C9CC1ECE974CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:31.070{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E19F4469F5A8D38E8DBA326F41CA7FE,SHA256=043DC18FCAD50F1D33F00640AE0C37F71E552D325CD8FC2B16F22FACEFA929C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:32.085{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF215C7DCBBF0414AF3C0F8F9618D77,SHA256=123E610C8A1ABA668AD0BA3F910D7F1CC84D835DC64AF59E51C3989AD16AA307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:32.889{C64CDE3E-2028-6227-3902-000000003602}5520ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CU1Z2ZAE\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:32.851{C64CDE3E-2028-6227-3902-000000003602}5520ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CU1Z2ZAE\microsoft.windows[1].xmlMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:32.851{C64CDE3E-2013-6227-1602-000000003602}17405360C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801508D8FD8)|UNKNOWN(FFFFF994344A5B68)|UNKNOWN(FFFFF994344A5CE7)|UNKNOWN(FFFFF994344A0371)|UNKNOWN(FFFFF994344A1D3A)|UNKNOWN(FFFFF9943449FFF6)|UNKNOWN(FFFFF801505F0503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000033736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:32.851{C64CDE3E-2013-6227-1602-000000003602}17405360C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801508D8FD8)|UNKNOWN(FFFFF994344A5B68)|UNKNOWN(FFFFF994344A5CE7)|UNKNOWN(FFFFF994344A0371)|UNKNOWN(FFFFF994344A1D3A)|UNKNOWN(FFFFF9943449FFF6)|UNKNOWN(FFFFF801505F0503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:32.804{C64CDE3E-2013-6227-1602-000000003602}17406092C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000033734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:32.804{C64CDE3E-2013-6227-1602-000000003602}17406092C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000033733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:32.666{C64CDE3E-2013-6227-1602-000000003602}17406704C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:32.666{C64CDE3E-2013-6227-1602-000000003602}17406704C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:32.035{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752D02C2CF8E45334A1826C1A4F02464,SHA256=3BFD4F24828B13206DED787C4FD185B9C9F2A05D3B5E6E971F58B307216BF61E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.930{DCBFC465-2D79-6227-5105-000000003702}23801972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.726{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2D79-6227-5105-000000003702}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.726{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.726{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.726{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.726{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.726{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.726{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.726{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.726{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.726{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2D79-6227-5105-000000003702}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.726{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.726{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2D79-6227-5105-000000003702}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.726{DCBFC465-2D79-6227-5105-000000003702}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.523{DCBFC465-1FE0-6227-1200-000000003702}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=81CA1D6AD86E30B24FA8C3D86721AFC4,SHA256=B04894C549B86A3637FC829476F5839E5946A9EFD2C23BD1F42591403A3982B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.101{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E3956A5D818633F8E60FABD397B99B4,SHA256=1179125DE775826F994E9DFECDD12554F903224757A962056CE5DE22BC112A2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.490{C64CDE3E-2010-6227-0702-000000003602}26246432C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000033768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.490{C64CDE3E-2010-6227-0702-000000003602}26246968C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000033767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.490{C64CDE3E-2010-6227-0702-000000003602}26245500C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000033766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.490{C64CDE3E-2010-6227-0702-000000003602}26246432C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 10341000x800000000000000033765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.490{C64CDE3E-2010-6227-0702-000000003602}26245500C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 10341000x800000000000000033764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.490{C64CDE3E-2010-6227-0702-000000003602}26246968C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 10341000x800000000000000033763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.220{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000033762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.220{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000033761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.220{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000033760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.220{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 23542300x800000000000000033759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.160{C64CDE3E-2028-6227-3902-000000003602}5520ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CU1Z2ZAE\microsoft.windows[1].xmlMD5=B0C6AAD7343F8474AA533BEF07695AD9,SHA256=23093632E5040197B451C7B409E0C8BFC79F7A3F1CC1D463096318A99E66B1EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.136{C64CDE3E-1CE6-6227-1600-000000003602}12964644C:\Windows\system32\svchost.exe{C64CDE3E-2D79-6227-C407-000000003602}4760C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.136{C64CDE3E-1CE6-6227-1600-000000003602}12961336C:\Windows\system32\svchost.exe{C64CDE3E-2D79-6227-C407-000000003602}4760C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.132{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-2D79-6227-C407-000000003602}4760C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.128{C64CDE3E-2010-6227-0702-000000003602}26246968C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000033754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.128{C64CDE3E-2010-6227-0702-000000003602}26246968C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000033753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.124{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2D79-6227-C407-000000003602}4760C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.120{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2D79-6227-C407-000000003602}4760C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.120{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-2D79-6227-C407-000000003602}4760C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.088{C64CDE3E-1CE6-6227-1600-000000003602}12964644C:\Windows\system32\svchost.exe{C64CDE3E-2D79-6227-C307-000000003602}5340C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.088{C64CDE3E-1CE6-6227-1600-000000003602}12961336C:\Windows\system32\svchost.exe{C64CDE3E-2D79-6227-C307-000000003602}5340C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.085{C64CDE3E-2028-6227-3902-000000003602}5520ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CU1Z2ZAE\microsoft.windows[1].xmlMD5=B0C6AAD7343F8474AA533BEF07695AD9,SHA256=23093632E5040197B451C7B409E0C8BFC79F7A3F1CC1D463096318A99E66B1EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.067{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-2D79-6227-C307-000000003602}5340C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.067{C64CDE3E-2028-6227-3902-000000003602}5520ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CU1Z2ZAE\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.067{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2D79-6227-C307-000000003602}5340C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.067{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2D79-6227-C307-000000003602}5340C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.067{C64CDE3E-2010-6227-0702-000000003602}26246968C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000033742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.067{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-2D79-6227-C307-000000003602}5340C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37396|c:\windows\system32\rpcss.dll+3df7d|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.067{C64CDE3E-2010-6227-0702-000000003602}26246968C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 23542300x800000000000000033740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:33.035{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E6B230B878724D60DDF306DFEB439D,SHA256=26C706EC4ECDC2E57B716D6EFA31AA85F23D352FE6F4F8A2A1D08092B4AEF320,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.054{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2D79-6227-5005-000000003702}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.054{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.054{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.054{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.054{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.054{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.054{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.054{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.054{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.054{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.054{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2D79-6227-5005-000000003702}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.054{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2D79-6227-5005-000000003702}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.055{DCBFC465-2D79-6227-5005-000000003702}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:34.102{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F4372C899EED079D3470DA70186C41,SHA256=D92AA12DCBCB7C92876509AB82563270AE8360193CE081C9CBE5068FEC4C196E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:34.269{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C413F5D09CE7C837EA667877FC20A037,SHA256=8E79662055A60A8BA480FAEF45997250FCEFAFCD56763D67378B11B31936E163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:34.269{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED9515CD61D785AF033165D7278F620,SHA256=92BF613D7FA65FF2179669C6C2E1764A85D90D1D66FC022C3FF1FD6527A24BBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:34.269{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6438CE5EA9EF9A8245C06BDF6F4CD623,SHA256=02E870172ABB085AAF85BA63D8D9CBA4AB9DADC7478F9AD8EB5769DBAF81BD64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:34.070{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCC0209CF64D7254A92094DBEED9DE35,SHA256=40C89CCA4CE07AAD2536AD5704F8B7725090C70970D23B18FB576FCE67D99B40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:34.070{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50FD0D50C740C1F3E8F4C6C2F4098FF3,SHA256=FE391B504645827BB145E7D7E4759C6BF15BDDCEE27541FC0BCC35BF0630D857,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:32.793{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51040-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:35.292{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2FF955250997F85B7A02CB77C12BC9A,SHA256=C6E6D0A3D4E51DDEF19C38611CA189FD7E0AF4EEED8B6AA4BE76FBD13E354F63,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:33.306{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50370-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000017828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.775{DCBFC465-2D7B-6227-5305-000000003702}23882392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.585{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2D7B-6227-5305-000000003702}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.585{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2D7B-6227-5305-000000003702}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.585{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2D7B-6227-5305-000000003702}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.586{DCBFC465-2D7B-6227-5305-000000003702}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.116{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB31B0E43911EE40CADCA457CDD5735,SHA256=0DF09B32D8F209060E11BAB30A30B35EAC674C0B41920DAC4DDFFDB84B72C27F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.085{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2D7B-6227-5205-000000003702}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.085{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2D7B-6227-5205-000000003702}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.085{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2D7B-6227-5205-000000003702}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:35.086{DCBFC465-2D7B-6227-5205-000000003702}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:35.005{C64CDE3E-2013-6227-1602-000000003602}17406092C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000033779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:35.005{C64CDE3E-2013-6227-1602-000000003602}17406092C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000033778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:35.005{C64CDE3E-2013-6227-1602-000000003602}17406784C:\Windows\Explorer.EXE{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:35.005{C64CDE3E-2013-6227-1602-000000003602}17406784C:\Windows\Explorer.EXE{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:35.005{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:34.990{C64CDE3E-2013-6227-1602-000000003602}17406704C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:34.990{C64CDE3E-2013-6227-1602-000000003602}17406704C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:34.990{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:36.601{DCBFC465-2D7C-6227-5405-000000003702}10443640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:36.257{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCC0209CF64D7254A92094DBEED9DE35,SHA256=40C89CCA4CE07AAD2536AD5704F8B7725090C70970D23B18FB576FCE67D99B40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:36.241{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2D7C-6227-5405-000000003702}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:36.241{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:36.241{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:36.241{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:36.241{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:36.241{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:36.241{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:36.241{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:36.241{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:36.241{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:36.241{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2D7C-6227-5405-000000003702}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:36.241{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2D7C-6227-5405-000000003702}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:36.243{DCBFC465-2D7C-6227-5405-000000003702}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:36.132{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171A1CC2CB7E33EAF8E91E7DBD272F02,SHA256=918BA5A4296CA4051CF228AFC479C571D60D8995914E16CE0502F34B1827CED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:36.308{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874105185B36920C14FD6A881CFD2CB5,SHA256=C5F7B4370BDFA451EB3E317BEECF796CBC4F8FA15FD0F61BA66862B29EE2FDD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:37.413{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=665BD24E7294454D4C5FE3CD84ABDB75,SHA256=A9DBBF01B6D5F6B16FD5DF8E2D837DF6B51DB0BC60150E70CCDE4B9B8F8400A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:37.366{DCBFC465-2D7D-6227-5505-000000003702}1804764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:37.323{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BCC041FBB52A4D88608140229AC485E,SHA256=2EB7CE6113C882578E9F7F41D6C0C25F65B3B54BACEC2A21A6DFE8C4F022500E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:37.116{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2D7D-6227-5505-000000003702}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:37.116{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:37.116{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:37.116{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:37.116{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:37.116{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:37.116{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:37.116{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:37.116{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:37.116{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:37.116{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2D7D-6227-5505-000000003702}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:37.116{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2D7D-6227-5505-000000003702}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:37.117{DCBFC465-2D7D-6227-5505-000000003702}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:38.554{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7454F0E04FC796EE18FA06F614A2050C,SHA256=D8020FB69B8702D153AEFADC438B836FED840993D30C7A2A79564D5EFDF8365F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.510{C64CDE3E-1CE6-6227-1600-000000003602}12964644C:\Windows\system32\svchost.exe{C64CDE3E-2D7E-6227-C507-000000003602}4368C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.510{C64CDE3E-1CE6-6227-1600-000000003602}12961336C:\Windows\system32\svchost.exe{C64CDE3E-2D7E-6227-C507-000000003602}4368C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.491{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-2D7E-6227-C507-000000003602}4368C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.469{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2D7E-6227-C507-000000003602}4368C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.469{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2D7E-6227-C507-000000003602}4368C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.469{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-2D7E-6227-C507-000000003602}4368C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37396|c:\windows\system32\rpcss.dll+3df7d|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.454{C64CDE3E-2010-6227-0702-000000003602}26246432C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000033802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.454{C64CDE3E-2010-6227-0702-000000003602}26246432C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000033801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.454{C64CDE3E-2013-6227-1602-000000003602}17406704C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.454{C64CDE3E-2013-6227-1602-000000003602}17406704C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.439{C64CDE3E-2010-6227-0702-000000003602}26246968C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000033798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.439{C64CDE3E-2010-6227-0702-000000003602}26246968C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 10341000x800000000000000033797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.439{C64CDE3E-2013-6227-1602-000000003602}17406092C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000033796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.439{C64CDE3E-2013-6227-1602-000000003602}17406092C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000033795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.422{C64CDE3E-2013-6227-1602-000000003602}17405104C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.422{C64CDE3E-2013-6227-1602-000000003602}17405104C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.422{C64CDE3E-2013-6227-1602-000000003602}17405104C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.407{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.407{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.407{C64CDE3E-2013-6227-1602-000000003602}17406704C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.407{C64CDE3E-2013-6227-1602-000000003602}17406704C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.407{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.407{C64CDE3E-2013-6227-1602-000000003602}17406092C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57d45|C:\Windows\System32\TwinUI.dll+37690|C:\Windows\System32\TwinUI.dll+37744|C:\Windows\System32\TwinUI.dll+38acf|C:\Windows\System32\TwinUI.dll+374bd|C:\Windows\System32\TwinUI.dll+36ef1|C:\Windows\System32\TwinUI.dll+1094cd|C:\Windows\System32\TwinUI.dll+d234f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.407{C64CDE3E-2013-6227-1602-000000003602}17406092C:\Windows\Explorer.EXE{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57d45|C:\Windows\System32\TwinUI.dll+376f8|C:\Windows\System32\TwinUI.dll+37731|C:\Windows\System32\TwinUI.dll+38acf|C:\Windows\System32\TwinUI.dll+374bd|C:\Windows\System32\TwinUI.dll+36ef1|C:\Windows\System32\TwinUI.dll+1094cd|C:\Windows\System32\TwinUI.dll+d234f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.354{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD73653B2268701C5D6349E0BD68F270,SHA256=8A8C99FEE836DCFE0A25D902AEBDC1685163290936FFF40B32102F2B6D696EB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:38.195{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2D7E-6227-5605-000000003702}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:38.195{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:38.195{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:38.195{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:38.195{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:38.195{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:38.195{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:38.195{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:38.195{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:38.195{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:38.195{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2D7E-6227-5605-000000003702}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:38.195{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2D7E-6227-5605-000000003702}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:38.195{DCBFC465-2D7E-6227-5605-000000003702}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:38.148{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5940F6E4875B9B0A47337A64EB722CD4,SHA256=35CA3972225BDB71626CB02ECE78E46A416FFFEB6E769778FACA50C54953828B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:39.569{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4704E2F0B88963A02FA5DB8C6D5CFE7F,SHA256=D1975C9BD07F6E5400AFFBB826F0B6A61B029B1038C4A45FC1180BC933C99F2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:39.869{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=589A1D312DA90DFD0479A8036702ECEB,SHA256=A2F84017932D2379762474D59CE661A4B39C964BE34AE838520ECA43732199AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:39.869{C64CDE3E-2010-6227-0702-000000003602}26246432C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000033822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:39.869{C64CDE3E-2010-6227-0702-000000003602}26246432C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 23542300x800000000000000033821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:39.869{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C413F5D09CE7C837EA667877FC20A037,SHA256=8E79662055A60A8BA480FAEF45997250FCEFAFCD56763D67378B11B31936E163,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:39.869{C64CDE3E-2013-6227-1602-000000003602}17406092C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000033819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:39.869{C64CDE3E-2013-6227-1602-000000003602}17406092C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000033818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:39.853{C64CDE3E-2013-6227-1602-000000003602}17405104C:\Windows\Explorer.EXE{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:39.853{C64CDE3E-2013-6227-1602-000000003602}17405104C:\Windows\Explorer.EXE{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:39.853{C64CDE3E-2013-6227-1602-000000003602}17406704C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:39.853{C64CDE3E-2013-6227-1602-000000003602}17406704C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:39.853{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:39.853{C64CDE3E-2013-6227-1602-000000003602}17405104C:\Windows\Explorer.EXE{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:39.853{C64CDE3E-2011-6227-0B02-000000003602}6005036C:\Windows\system32\taskhostw.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:39.838{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:39.386{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28BF43E208396821A9A6F194B3383EB6,SHA256=9BEACA0C332E72C88F3C980CDAE899B0C6EEFD0D6AA6F42AF0C39BF981FFF441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:39.210{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8DD9F9F0189AF9BF69B7BF853F86FF4,SHA256=C67B61CD62DB0A33A2D4A28FE32A4A831A0C1A1FE2C457839784291A56D0EC59,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:38.322{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50371-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:40.569{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47A2313D82CC2CA2DEC7AEA45DADC93,SHA256=33FC257367C82D7601712938E3C13E3AEC7CC796262E4DFB8ECEED6D752C8625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:40.391{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC8E482BF79E6ED91F74C8965189F86,SHA256=1B0A0E978C76A893266B764CCE63E360BAA496CF8C5A54D49CDA0E03C04FA4C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:39.991{C64CDE3E-2010-6227-0702-000000003602}26246432C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\ShutdownUX.dll+175a3|C:\Windows\system32\ShutdownUX.dll+17c86|C:\Windows\system32\ShutdownUX.dll+179ae|C:\Windows\system32\ShutdownUX.dll+bd60|C:\Windows\system32\ShutdownUX.dll+cda0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c 10341000x800000000000000033826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:39.991{C64CDE3E-2010-6227-0702-000000003602}26246432C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\ShutdownUX.dll+175a3|C:\Windows\system32\ShutdownUX.dll+1798a|C:\Windows\system32\ShutdownUX.dll+bd60|C:\Windows\system32\ShutdownUX.dll+cda0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000033825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:39.991{C64CDE3E-2010-6227-0702-000000003602}26246432C:\Windows\System32\RuntimeBroker.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\ShutdownUX.dll+175a3|C:\Windows\system32\ShutdownUX.dll+bd1b|C:\Windows\system32\ShutdownUX.dll+cda0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb 23542300x800000000000000017880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:41.585{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C85CCD1ED1AF96D793A08D227F9474F3,SHA256=5A5EF8C2E07DF20C20E4459CE4BAF63C9795BF284CFE68377CBB6F5608068896,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:38.694{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51041-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:41.453{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81BEB90B1B3658C4BC9044B1130ED404,SHA256=2135EE8D9FB2CCFF7D12AE87234B6113CF6CFA3A79F15529238A96B1AF78D014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:42.601{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD21E2D3BDCBA08F575125A6709058DC,SHA256=5C5C0C53E3BE54DFDB6BB7BDBEE0C12B4863AE00BB29D26FF0F07D30C201D09A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:42.468{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A91CBD4B7C359B28A5CFBECAF7939E0E,SHA256=CA05A8DE167EB516CBA1FEEA9E82E4F93493110D926659A921F9BE3D49E3EB57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:43.835{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3CAF6A920DE42656E330EB5A3553475,SHA256=3E25DD7B9CAE48B803D8A2F32CF234609164A52F10B7D98A89E3C6C888A507B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:43.889{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:43.468{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6DD9E98D1177901F63BB7F2E359D44,SHA256=4A3408E9BD9CCEC1340B106FD692092CF00A10588342085CB686B0AF87BEDA2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:43.267{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:43.267{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:44.179{DCBFC465-204C-6227-9900-000000003702}3048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:44.485{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7227332A000DBD8DFC8BA0CF183534F9,SHA256=BFCE8D0F31A74F51068BB47DCB1BBCF63249D751646713AA19EBCD3AF7A867B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:45.070{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA73B724A6D97E5E7C477123A299733D,SHA256=C4C0861A7633C1AE62150674BE18456E9AB798F91331A8510A833A55F3C97113,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:41.856{C64CDE3E-1CE6-6227-0D00-000000003602}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local51042-truefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local135epmap 354300x800000000000000033838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:41.856{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local51042-truefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local135epmap 23542300x800000000000000033837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:45.519{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBC34D707BACDE9213C5CE15FA87C1F3,SHA256=AFA0D298C68F6C72C8FF24F47751DA7B09E83344005865F0C7E4093998C3619A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:43.495{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50373-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000017886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:43.416{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50372-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000017885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:46.070{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74DA7C4E14CA42D5D6BC8306A8959D79,SHA256=7635ED0B14693FC2ADA3B79D92E1E4563EDC9AB44FDC2BB580A6928307D18288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:46.524{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA346113EFCDA86F1B8EEC7805FF689,SHA256=CC1B7B844862B781BEA15574F420A765109741998F18A335D974B6725964A92F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:46.050{C64CDE3E-2013-6227-1602-000000003602}17406092C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000033851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:46.050{C64CDE3E-2013-6227-1602-000000003602}17406092C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000033850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:46.035{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:46.035{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:46.035{C64CDE3E-2013-6227-1602-000000003602}1740416C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:46.019{C64CDE3E-2013-6227-1602-000000003602}1740416C:\Windows\Explorer.EXE{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:46.019{C64CDE3E-2013-6227-1602-000000003602}17405104C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:46.019{C64CDE3E-2013-6227-1602-000000003602}17405104C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:46.019{C64CDE3E-2013-6227-1602-000000003602}17405104C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:46.019{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AB07-000000003602}4216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:46.019{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AB07-000000003602}4216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:46.019{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AB07-000000003602}4216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:46.019{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AB07-000000003602}4216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000033855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:44.710{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51043-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:47.539{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C107C6EB82CF4058F04FCF1E9D3FC8DC,SHA256=5CE15C32DDFC8BDCF8FD6B6FC66C195441E1F0925A180C64E2A827D01C7A3291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:47.162{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2720BA4283C5120C1853277AA6F93EA,SHA256=D8957A288F7EF274374B9C585108EA3DE1AE40EED621CDD846D8710741530D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:48.177{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA0C61BC3437CF36111C98802A181C5,SHA256=1D2499EAA363A38F3A80B9F659EF8BD2CEE02A104EFB9DD337943794EA2F5D8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:48.554{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA75C7BBD5C007D3C7A90A437DD2F893,SHA256=52942435C52AFDE48E8B80AB096C105F457036D3D40CFBBCF7CD1CAE89DCD45A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:49.209{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6B09509B77774D8A7813D22073F0B3,SHA256=E31F507614C3A757E5FE6DFEC6ADE26394F91EFD51C6E74BDB120DA32097EE50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:49.569{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30D76721C10C5A1979158974B17CA5E,SHA256=18C3DB4D509B00E0D752DF6271A103454B945F30E5F963241067C13772695C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:50.427{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9620BADDFD19A6C3D40D2C6F29DC598,SHA256=187459337F1EDCEDE2F57F86247524A6D4716B113BA239EE696040DB663CF9C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:50.587{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11EC71FF2C55E2431C278BA08149973,SHA256=237D9C2B91124DB53E5D89875D32216C2FDEBFEF9995D0DEB8E65787415D21C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:51.427{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6F4F58612E6B6286AA3D02C93A1E4ED,SHA256=3E2D9E8FB3418B47517EB6E7285972A5C6868D4565BF9FC6737F942FC7F425FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:51.605{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B3C5E1B5E85CE89E949F74DA0F71B54,SHA256=A5BA5DC7B279B3C13D4F60645730FB4E88AED0812EFA864DA762B74CC9C90092,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:49.367{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50374-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000033867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:51.368{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000033866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:51.368{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000033865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:51.368{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000033864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:51.368{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000033863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:51.368{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000033862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:51.368{C64CDE3E-2010-6227-0802-000000003602}48926796C:\Windows\system32\sihost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:51.321{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000033860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:51.321{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000033859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:51.321{C64CDE3E-1CE6-6227-0C00-000000003602}8242364C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 23542300x800000000000000017894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:52.646{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0367C3C5963611C844813741D46045EB,SHA256=3528613F85F43C15C11D65C8E7A179722F63BF5B622025F946FC9B7CE3A35CB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:52.889{C64CDE3E-1CE6-6227-1000-000000003602}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F32700DB0FFA52152A8212FDB47427C1,SHA256=5AD86F0ACA1FF83FCA2AC9914422B8043B1A9017242D8146035DE2709AC62BD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:49.754{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51044-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:52.642{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F50B34DDA22BEA25DB54F9EE8B26225E,SHA256=1CBD49DF94C4E7A0CD2400FE3136BFE5585F43B95C73C9C1DE1C449F956769EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:53.693{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=421EB184350E7414D84F597119AADEB0,SHA256=F0A0BFD429B7D13A6D04FD3D0BBBF748B48B91775DD5099751B8EC0AD9B12DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:53.657{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=803BEE0FCCF356A7E995EB7A1B8609BA,SHA256=E665E784C86F8EE6B38EB7A21D03C6EFA3B321F4D256435C297FC6674C532021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:54.771{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AD6071FA1C61066FFEF3EB63483E65A,SHA256=D7E5D0928A8FF89C4C4AD14CB18E41FFBE9D180265ED2B6B6C31F0239FC4A812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:54.672{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D54960D9CC3922CF0CDF2B6C0294F53,SHA256=9D2A4652F20CADF4119C0A53CEE006FF510240D94EAEF62B6783826BBD3E3CE9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000033878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:18:54.425{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6FC0DF5C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6FC0DF5C-0000-0000-0000-100000000000.XML 13241300x800000000000000033877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:18:54.410{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\DB477B57-8AB7-41B7-868E-2991B0EC5E6D\Config SourceDWORD (0x00000001) 13241300x800000000000000033876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:18:54.410{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\DB477B57-8AB7-41B7-868E-2991B0EC5E6D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_DB477B57-8AB7-41B7-868E-2991B0EC5E6D.XML 10341000x800000000000000033875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:54.410{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:54.410{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:54.393{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\glean\db\data.safe.binMD5=3B5D9A7DFC90278A498792CA61119DAE,SHA256=B942AD69260834ED6A9EDA0CA4366962ADE2C4451084796DA3DE88DA758B8B87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:55.771{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0DE2DA1720748C5B1CD9A596D3D805,SHA256=16713ACF665DA9A2168D5AF35AE388255BF57AC8B31365FC9040165914300D6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:55.745{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\respondent-20220308090810-068MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:55.690{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E1C291BF3C77FDE712DA6193246385,SHA256=A3C415BC71AAFA247F80C52A889AFF99B88233C49367EADA2999A2B071B81059,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:55.256{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:55.256{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:55.256{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:56.771{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7BD5D02666E96AAA149821E0B175BD0,SHA256=C8BD55C410D2C8AF6933E77BDF94695BE95330BBB45F011B627703D120B42E2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:56.892{C64CDE3E-1CF7-6227-2B00-000000003602}2896NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:53.841{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51045-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000033892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:53.841{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51045-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local389ldap 23542300x800000000000000033891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:56.757{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\surveyor-20220308090808-069MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:56.709{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1421BD3780DA5AF0E89DEC78D2D88E6,SHA256=11C69C0F32C134F6A9B721D8B14204B78051F9F231B6E08A87BADE44848BC088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:56.272{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAFCB75D3E66C60335842DB6BE6927B0,SHA256=3FC701CEA234FF3FBE9834759BA7AC61F14605FD9213B04D54FC19CC0596EDA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:56.272{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=589A1D312DA90DFD0479A8036702ECEB,SHA256=A2F84017932D2379762474D59CE661A4B39C964BE34AE838520ECA43732199AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:56.093{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:56.090{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:56.090{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:57.896{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97122637C05CE0BE28D63ABDE790635,SHA256=E404428DA025ECAE01B0745DD4461B6A3055E9CCC4B85E42EAF12AEC91B9BE7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:54.672{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51046-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000033896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:54.672{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51046-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local389ldap 23542300x800000000000000033895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:57.740{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=190F891F02B52F8DD6BBE7DBD38D25CA,SHA256=BC78A54DBDBF38D9906CE3B169C1AEBCA68BD8DA80D3A6F443B47CDD5932FC1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:54.492{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50375-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000033900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:55.656{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51048-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000033899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:55.456{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51047-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000033898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:58.755{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D19F1A0F3EF3698531DBF7B7C296415,SHA256=7064BE5263E9A0C9027ADCBE652BC72C626FAA00D44FBF065189A0A762C1AB7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:18:59.770{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7715CB5A3F02AEFCAB68738DF860AE8,SHA256=332E65208564D8C2F98A11401A45F462E30D41B3325D2D997F37A2F57A6EACAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:18:59.037{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6AECE1A4A30B4F6912DEF0BCB1A395,SHA256=8A9CA43055015452D570FD31B2D30FCF89D830105D387762F7E49908E3DC1180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:00.788{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC125E708AB965DAE4A40852E71E3F52,SHA256=2A40DEC2EB95DFE54C03D05977ED35CA8871264A4BE1AFBC7B1F7119D20ED7DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:00.037{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDF78A0C9A6F75B90C40A137780AC22,SHA256=CED54E2F15317FA335A498F680437A0F8912C641A58ACD3FEF6EE7FA37608406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:01.807{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C06F6438E5439822ECEBA69734D41C17,SHA256=BD39958DCD2B7528BC20C38809DF97C0F95DF89799B02FA1DAA6B07475090AA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:01.240{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B63EE1433AD225235F325601FCB4639,SHA256=F6F01D5C4130249DE05CDB980E01F3F15EDC14C2E90D0DCB0019A814C5E9B22D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:02.813{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93DC5323E1DD5296BE941E73C7AFC457,SHA256=0D11A89D7302DAE8E12ECD705F85F5A624C8B3B375B72AC7D7C6C44506B61916,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:00.320{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50376-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:02.240{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEBCA02C061A3621C2633900092D60AA,SHA256=DEB5D9B86476816B1693E2DB3930A2F1ACE4B0CA0FBD7616D5648EE8ABAB21AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:00.691{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51049-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:03.828{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B839310A588579848AA35A21FF32511,SHA256=98AF1D5BC588343096B6A5DD9159B3F9AC33F498E087697C048F48CDE489BF9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:03.240{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FC22E9C5FF086DE4415AA17B803A33B,SHA256=0FC1C8F0A3D2D6B0DA02A84F4281C36B4503369A5E0C9EAFC52EA04CDDA64BC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:03.087{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\respondent-20220308092036-056MD5=AD989BA5FC8211C68DEB145594DF29B5,SHA256=A92C9E9F939B5FA1DAF2D9D45D4066E44A16133766F98754DF452EC8E38921ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:04.859{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFD33F64786410B0F20640691B5FD395,SHA256=DC378235941B42EC6B558D1BBBB547BCFFE72039C28AACE5E7EDE96A528CD62A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:04.255{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04DA77E4910C4C76C297375F4683FB13,SHA256=589EA6FC0AEA80CB9D8B011D96B52F8DC25861994FA32C59168F967DDE09B58A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:04.101{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\surveyor-20220308092033-057MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:05.874{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1323EE62659497EEB37AF5778513C02A,SHA256=D0D68CD6505F076CFF766AF6A3F45E0D97690AFDC931FB2BBE17E830D4D76EC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:05.258{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17CFE15A52DAAA168C9F155E8C354BBC,SHA256=6F1C4A9B396260B21052963BD4CEC062572A0E94FD26A0CF2F85DDCE5F7830EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:05.427{C64CDE3E-2013-6227-1602-000000003602}17405264C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:05.412{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:05.412{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:06.882{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01663B36AA3383EC9B61B356BA79B739,SHA256=99455C726558E699E659D819862895B71BBBA9B73E391E4018FD849D6B67D39A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:06.258{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7C48B8B046230F020E368C7582596E,SHA256=AD557962663C52512D9DF64E045D20C3034D895524BE7DA825BD774A72232E23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:07.890{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF6BD328081CED46F2B32C6287C16B38,SHA256=68677976CB6AC3F151AF3A89AF871A6C43BBF016806ED955262C84D91425E8EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:07.274{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E12B0B4119F1C5CB1622D9458C6667,SHA256=A9F235D3F252CA03150CA4F542F1E4956FB9EAF95F43C28D4F0BE425E6F9612F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:08.910{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2065E28A2D3EC0CC1C8B354000FB7A47,SHA256=B04B53FC059D89250FFCCDA5F0BC2A2F482B94F0D2CFDB40EA5EB69E77DDFC99,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:05.338{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50377-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:08.288{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=867355EF56AB25767D9265FFA4BB82B6,SHA256=E3B02CB6A665D18A3676641268C0E92A01BD302409269B3ED98614A167BDD020,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:06.694{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51050-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:09.912{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA65D224EFD009AAD84C6722726A571,SHA256=EE60D9913CA0B64470BF20399D0074493513A4699A19CB451A9F6EA7AC72F190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:09.288{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C012E7341BE5BB5CA2DD8F259D0FD09,SHA256=206A124DDBACE4F31C40AC7012001A44F1C5CA4C272E156D6984750ED67ABC44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:09.594{C64CDE3E-2013-6227-1602-000000003602}17405264C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:09.594{C64CDE3E-2013-6227-1602-000000003602}17405264C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:09.594{C64CDE3E-2013-6227-1602-000000003602}17405264C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AA07-000000003602}6916C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:09.594{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AB07-000000003602}4216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:09.594{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AB07-000000003602}4216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:09.594{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AB07-000000003602}4216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:09.594{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D66-6227-AB07-000000003602}4216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:10.929{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA2FE23CAACBB2280F6246798E6B1499,SHA256=14AA36797BEDDE7FB8727CA7A4D247AB2B19C5BCC7CEBEEA1E9AA8A16E38CCA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:10.288{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFDD30D3F46678BC1E6163A73551C501,SHA256=EA0789338C48361314E857B405EA655A5532714E93705535B46945F2A25BD207,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:10.763{C64CDE3E-2013-6227-1602-000000003602}17405264C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:10.763{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:10.763{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:11.960{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09C37418A02722545CADDD949CE9A40,SHA256=42800CC6EF1CD1156B12D30F7E143B37D4E8F70DFAA69ABCF798EDF28D2F23E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:11.304{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F4A80F634D7935E8CF0803BA9A75B4,SHA256=1C10E3BA41BAC2FA8698FBD37DDF6BEFDEFECB92C0D67B523C2D1591574B3D7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:12.960{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B142B056173B900B8D3D149F8529F2F2,SHA256=79154FA8D35A1FACA5DF0399A4B7EE7096D1CF1BE63C5418792A45F72207E43C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:12.320{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26BC82C23D0ACA62247547A04E8F7ED9,SHA256=E3ADFAE9B396CF5BA213ADB22DC5B4DF35868833EFCBDB57DE4AF94E4EE0F235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:13.975{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A0D2E1DF8CB19FD291F124D21784C5,SHA256=C26DAE4C17FA4C4F11D2C1AC15199F460C33F7832516AE1DFE1E4DDE9B1FB006,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:11.354{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50378-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:13.320{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27505FB5A8E4965C11CDD8AE22B9D041,SHA256=DE28634F9BAFB4A3B05FB49C1D7D54E200CB88B901A9D97352B1D06EDD542F21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:13.413{C64CDE3E-2013-6227-1602-000000003602}17405264C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:13.413{C64CDE3E-2013-6227-1602-000000003602}17405264C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:13.413{C64CDE3E-2013-6227-1602-000000003602}17405264C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:13.413{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:13.413{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:13.413{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:13.413{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:14.320{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC5A0F71DFB75E07937AD01A29EBE9BE,SHA256=48DD31C7FBE74C70E73AEAC2A06F5AA44441902AC66AF110876F801D0CE4CC64,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000033941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:14.812{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\AlternateServices.txt2022-03-08 10:09:14.768 23542300x800000000000000033940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:14.812{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\AlternateServices.txtMD5=7088657AFE3F05A34B878F365874442D,SHA256=FEE69281A3E66A7EFAD97582EEDDB936456F03C283D3F3A0CDD13604720E5D72,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000033939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:14.643{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\SiteSecurityServiceState.txt2022-03-08 10:09:14.605 23542300x800000000000000033938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:14.643{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\SiteSecurityServiceState.txtMD5=CD7F546473CF2C0FE348CDD047C60A28,SHA256=8C3A150B7A16A8708B4657AD139125ADF4D1120423F1E6B87ECFDCEBDB214C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:15.335{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B672CBE2F235D724B2AE92775C9E25D1,SHA256=CFA5772EA614F8F15D9DD912E927239CB94F2DCDCB25F37018ED454F0D00A221,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:11.713{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51051-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:14.996{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49DD779C962A3642142ED8872ABD6AB,SHA256=2A4C276EC5591246ED6FAAAFD48F76789F70B4DD84388C6EB0AABC3F1A348C59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:16.351{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=561E509939996C05CD44915F12722A70,SHA256=B7D9A0BE7CFF22A133647F687CE7E39EB5A7BA127DB2EA4E71D367586AC0960F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:16.014{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79ED4EED69DB7CF1907AD0105C1596B,SHA256=8D42800C1112149085D6272D8F130635F3AFECFC67B48D77A9E0ED394DFF9044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:17.351{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABACDDC19638A12357622AA2FF3F107A,SHA256=D064B1997F1FB21C83E771679015C31678B0554A6D65C045E6E1EE5231236F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:17.045{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ABA38CCE8EE0FF9F51053A8D24C309A,SHA256=E066C75C170A34B45A4E95AAEB2C7FA64F1A1EDD47FE61E7AA2CC8DBA5028EF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:18.413{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9F3632B585E4CC691C7BFE6807B2BC,SHA256=BBC06F7FD38D60C86E546C9E3523472C21F790626800F8729BBDAA68AD117241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:18.059{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4241558A5FC38D02AB9D87D0539447CB,SHA256=7155B3484C0B84B1374F7C5680423015EFE2DB7A6641D1A9C24AACD5307D1989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:19.413{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F25BAB6CADFD245756A815CD795CF94A,SHA256=639AC0C349ECE66E2496361827D74D498E5845EF3378DABFEF52EDA7ADF236D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:19.076{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669E4F49CF6B80D53A8E5EBDA4108017,SHA256=E2B1BA2B8A7544D917B3A61FF497B7A3C4B5B18EC6DF464CB7592A4E2EFA4ECC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:16.494{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50379-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:20.445{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B870C856230D87E68DCCC7FC39011C98,SHA256=7850530A83F33224249AF14D93C4FD21E98184B383434EFB901447C39D20ADDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:20.731{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2DA8-6227-C607-000000003602}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:20.728{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:20.728{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:20.728{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:20.728{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:20.728{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2DA8-6227-C607-000000003602}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:20.727{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2DA8-6227-C607-000000003602}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:20.516{C64CDE3E-2DA8-6227-C607-000000003602}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000033949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:16.811{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51052-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:20.077{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E929B8C7193C0CBD64FDE0F3D8A8E252,SHA256=EC898FEA8A6E7370278F14AF286B4F660C4271B348460BB1D64CB8C141C3C97A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:21.507{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78DAA07FC4A92BADDE1F371BD547CD33,SHA256=387ED285E680D25606397AF19385D252D5550B4BC6DA05534B11CD56BCB31FE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:21.665{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2DA9-6227-C707-000000003602}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:21.580{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:21.580{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:21.580{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:21.580{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:21.580{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2DA9-6227-C707-000000003602}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:21.579{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2DA9-6227-C707-000000003602}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:21.402{C64CDE3E-2DA9-6227-C707-000000003602}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:21.517{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=792CF9637F7F276B2E5F2028C67EB620,SHA256=5BBA87E1A413710F8C9C1B5464C8D537FDE6401874AEAA899FE45E1349164BC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:21.517{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAFCB75D3E66C60335842DB6BE6927B0,SHA256=3FC701CEA234FF3FBE9834759BA7AC61F14605FD9213B04D54FC19CC0596EDA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:21.102{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1314CABF6EC877AABD173A7F170E206D,SHA256=E06787711AD65278E6D89DAD803700F36165C97950C5FC16F9A63C38B992EF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:22.523{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ED9AC452B0A497AE1CB31C9B3AA8077,SHA256=ED61BB9B0BE17744C50E03CE9FA3A7B035BEA72F097F653BC0D70D1C30E5F0E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:22.760{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2DAA-6227-C807-000000003602}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:22.760{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:22.760{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:22.760{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:22.760{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:22.760{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2DAA-6227-C807-000000003602}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:22.760{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2DAA-6227-C807-000000003602}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:22.645{C64CDE3E-2DAA-6227-C807-000000003602}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:22.113{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB78978EC1782BF5A6C99140A8F12FFF,SHA256=7B75965548084E4270D2CDBB4641579E27FA31DB29B57D35EDF138F3EF1A126F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:22.014{C64CDE3E-2DA9-6227-C707-000000003602}64685996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:23.523{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED0110FF19F1B505530268AF1E52B4E4,SHA256=4DA2A17817AE87A70D0EB39B7783C9CCC84DE9480C2F8D918410A67BF75367E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:23.799{C64CDE3E-2DAB-6227-C907-000000003602}63205848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:23.646{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=792CF9637F7F276B2E5F2028C67EB620,SHA256=5BBA87E1A413710F8C9C1B5464C8D537FDE6401874AEAA899FE45E1349164BC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:23.581{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2DAB-6227-C907-000000003602}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:23.578{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:23.578{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:23.577{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:23.577{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:23.577{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2DAB-6227-C907-000000003602}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:23.562{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2DAB-6227-C907-000000003602}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:23.431{C64CDE3E-2DAB-6227-C907-000000003602}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:23.115{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D9BAE7A0F0E92729B8EE9EA5A53316,SHA256=06B1A4C99E0A1365CF955D5997B0D167E60F2A42DE44B3A44BED73C2034E0314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:24.523{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2DDA3D89FCE861FDF59888BA581ABE5,SHA256=561C73BDC2E7DA792CAB888CFA215EFD615A9D64E4BD8B1280011A7473A1EC22,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:21.729{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51053-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000033991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:21.729{C64CDE3E-1CF7-6227-2800-000000003602}2856C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51053-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 23542300x800000000000000033990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:24.146{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=981EFAEB81FB581A99842F52C2C24FD6,SHA256=E7CBBEE6A77269B5DB16F0E9DE61C25C84D9DFD95F607D0010AE7E05C27986D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:25.538{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CE2E93F300822FC6844D65AB0546935,SHA256=D51E8CB6C476FA77CC71708ED902F3854A5B4EAD332A05ABC93D946726EDFB5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:22.713{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51054-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000033993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:25.160{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A216FD1AB07FB8DD22C1DC9FC08B0487,SHA256=3319675DF9EC0860AF62287989CF61EDD5B3266D4A124833D11BEDCA086B4E19,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:22.275{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50380-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:26.538{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CC4AD9671194D311DF67CF42D934088,SHA256=11BCBC8673A1CE777EAFF5705AB91A071026A72EE63355847F66E0DF3CE87F01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:26.854{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2DAE-6227-CB07-000000003602}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:26.854{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:26.854{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:26.854{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:26.854{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:26.854{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2DAE-6227-CB07-000000003602}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:26.854{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2DAE-6227-CB07-000000003602}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:26.855{C64CDE3E-2DAE-6227-CB07-000000003602}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000034004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:26.413{C64CDE3E-2DAE-6227-CA07-000000003602}16365468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:26.181{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2DAE-6227-CA07-000000003602}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:26.179{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FBAB3365E5F6AB9A72CE7AF8FD3D70E,SHA256=F4CE3A83D495683EE3F05E2AB2AEF9F259579E6CAE082E54667E8676E3C0B220,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:26.178{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:26.178{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:26.177{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:26.177{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:26.177{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2DAE-6227-CA07-000000003602}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:26.177{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2DAE-6227-CA07-000000003602}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:26.176{C64CDE3E-2DAE-6227-CA07-000000003602}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:27.558{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A434FD5FAD9B2F4EABC02C43B80D777,SHA256=5C9351CD3ACFDE4A86EFC6273CB3ADBA29BCC5C351F2E22B0C23BDBC8A8F24B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:27.497{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2DAF-6227-CC07-000000003602}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:27.497{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:27.497{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:27.497{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:27.497{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:27.497{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2DAF-6227-CC07-000000003602}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:27.497{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2DAF-6227-CC07-000000003602}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:27.499{C64CDE3E-2DAF-6227-CC07-000000003602}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:27.229{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F05F14F71784F4B5ABCC39E63A3A8B,SHA256=7FF25F0598E8325E0B1B60CD0B3317B18DAE66D73B632C97AB24F4B66B0B0164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:27.198{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E961D95EBD23AC298F953C1166285359,SHA256=F615CDBA6E0B5239287421AE155F7C30B7689B4AF72E18671AB7F1A68DD1AB38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:27.144{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=25C667330345B771D9530D23090355F9,SHA256=8F7A8851F21350BC68B9C764B1729012BF3A70D0C485161F78C85662879EFAC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:27.029{C64CDE3E-2DAE-6227-CB07-000000003602}35804188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:28.777{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF5789C7DB764F860FD0A89E7410C2E3,SHA256=35C328F54D73CAA3E4A27CDDA8271E6841C4CBBF2443E908FDE5CBEDA3C00D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:28.528{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80FFD2E26D9F69983B965E75240D5727,SHA256=BB2457CE05FE5FBC34CA43DBD19E8B94F7F9A3976F74F8E6735AC306BFCF13B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:28.259{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F5EFDA87CA531F20DC23DBA1225CA0,SHA256=ADD3DE96E9148527E5A25E040467280827DDD46FDC0574DC1BD56BDE8F694420,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:29.793{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A4F81B3428280708C3E0F50EE7F7600,SHA256=BC0C6584A38BBACE35FEA67A2E0D4D8D2434331E28A93E7A94E9548652A13EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:29.296{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F361C7788221A8168C1B57A1CF1B9FF8,SHA256=3763135A907A099485FB5DC21819B2138F8B7115782E0C933F5C98CB86D3B147,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:27.483{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50381-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:30.326{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96002892C1BB44D81BB9821061AD3417,SHA256=2CAD8553DF3519782919828DC09B13877540FD782C0389E7D5D9BE020E39E4B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:31.027{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B376803030F5620656EA36A2824E05E7,SHA256=F472EB45852F971391A46F2ED8626EC607D1D3825A0C086E4FA38BE8E731C4E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:27.761{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51055-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:31.357{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F173D4AE232FA14C63CFCF7054F90B15,SHA256=0D03ED35020BBB46231BF22650CB565462DC43D121E8CD641F8DDACDCB0DADBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:32.261{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F67A808175139074DB5E5A1B040AAA,SHA256=57AAC2262825AEF9FB7C1F83AF26F127215764E971F94DDF9EE0B77C8AEAE04E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:32.375{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD2EAA56C3A776C208C690CD7127D2B9,SHA256=9B40CAD39A39D72D8DCCBFFF0054A1057343ECDB7F3D2FD4FBAF04727ADBE0C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:33.393{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B21C578CBBA0124931F871FCE7D8B3,SHA256=D2255D195126D6E9599CA865BCA02710C77D19DE83A1B719025C5B41E39FE3CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.683{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2DB5-6227-5805-000000003702}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.683{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.683{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.683{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.683{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.683{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.683{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.683{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.683{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.683{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.683{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2DB5-6227-5805-000000003702}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.683{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2DB5-6227-5805-000000003702}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.685{DCBFC465-2DB5-6227-5805-000000003702}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.527{DCBFC465-1FE0-6227-1200-000000003702}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=37CCC7E93E7DB7DCF4E2EA73951BD19C,SHA256=7644B5959A4F720803933181EFFB4B288182511C484EC1E42B4840964287B965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.308{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3CEBE2BDED05C4542EB236AFDDB56AA,SHA256=3F33B4F6C259C5BDD597651DAAF34C12F17EC17206DA79D459703A48E069B9D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.230{DCBFC465-2DB5-6227-5705-000000003702}12483544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.058{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2DB5-6227-5705-000000003702}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.058{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.058{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.058{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.058{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.058{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.058{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.058{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.058{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.058{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.058{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2DB5-6227-5705-000000003702}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.058{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2DB5-6227-5705-000000003702}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.059{DCBFC465-2DB5-6227-5705-000000003702}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:34.395{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8DB2AFE2C7127627781FEB33851C8F,SHA256=98FE1570CE5C07C8164A5043E4FF6D6AB9DACFE8BF6C9BB0C6B3D36FB0D6FFE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:34.418{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9291531B4DCBCFE4F3B592783A8806EA,SHA256=A524B4EBD41E42F8268CB29A285B478E80629D6E7C766899E6563EA955A74133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:34.246{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D71BC4BC4F24A887A818BAFB29FF5736,SHA256=080146C4D176037338CE1E3454E6C819714124E59CF7E0C421B0A086A735E9DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:34.246{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AA894D2223659D2DBF25D0C7DE075D9,SHA256=1CAFACA43858EA272E17D723EC28D8A0F1F0274F93948E7CA5C11AF9C7E4C00D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.574{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2DB7-6227-5A05-000000003702}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.574{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.574{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.574{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.574{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.574{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.574{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.574{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.574{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.574{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.574{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2DB7-6227-5A05-000000003702}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.574{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2DB7-6227-5A05-000000003702}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.575{DCBFC465-2DB7-6227-5A05-000000003702}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.449{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E3BA2B49B6F40B27C6EBF8B4E7B5AE,SHA256=DE489664E4C132552C9E1874346466996404997AB755317EC921F7C63BA0E77F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:35.409{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2885C08DE73F05A1DED002BE86126AC7,SHA256=6D0FDF1AD261BC1F69177BE18519E26DD5DDB8FB19DA6DB65149BA5847CF085F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.433{DCBFC465-2DB7-6227-5905-000000003702}3372928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.074{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2DB7-6227-5905-000000003702}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.074{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.074{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.074{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.074{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.074{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.074{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.074{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.074{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.074{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.074{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2DB7-6227-5905-000000003702}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.074{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2DB7-6227-5905-000000003702}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:35.075{DCBFC465-2DB7-6227-5905-000000003702}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.964{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2DB8-6227-5C05-000000003702}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.964{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.964{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.964{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.964{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.964{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.964{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.964{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.964{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.964{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.964{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2DB8-6227-5C05-000000003702}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.964{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2DB8-6227-5C05-000000003702}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.965{DCBFC465-2DB8-6227-5C05-000000003702}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.464{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2DB8-6227-5B05-000000003702}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.464{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.464{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.464{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.464{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.464{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.464{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.464{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.464{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.464{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.464{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2DB8-6227-5B05-000000003702}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.464{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2DB8-6227-5B05-000000003702}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.465{DCBFC465-2DB8-6227-5B05-000000003702}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.449{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC6AD5B284BC3E80E868051EC61E76B,SHA256=F1F12BCE92BF82D67DB8C53E3C682CEA5A779A550846D6ED8AA20622A1299063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:36.455{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2283D3B1765996190D66F1EE48CFC568,SHA256=5E5DF53A65BEB8CDBED89E20752BC7E6D0DA1FDD01A011E16383EB744E04FBF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:33.482{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50382-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000018003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.105{DCBFC465-2DB7-6227-5A05-000000003702}7843312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:36.074{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D71BC4BC4F24A887A818BAFB29FF5736,SHA256=080146C4D176037338CE1E3454E6C819714124E59CF7E0C421B0A086A735E9DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:37.683{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C8510BACC1728FB16DF4ECC04675299,SHA256=8AC6F213308784E7F3CB856387A3DCAA6805358C22BEFF9BC2632194458D45E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:37.605{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5ABBB04B8D6E15CE553020EC8AA1B54,SHA256=7BE243B43B1A23188F7B7E9E3E6AA64347481A07D5370B6FCA12A9003CD3C99C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:33.723{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51056-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:37.474{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8FAB9B13015421E5F8B1F721EAE1D1C,SHA256=CB05661C847B04898886DD0B7E7E6627FDDD1BB8B186A85B020E3C89F796057D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:37.230{DCBFC465-2DB8-6227-5C05-000000003702}16483780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:38.606{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA5E7BF43F999218BC35CED0781A49BE,SHA256=2256A62646C70744A2AE3D12042471DB62F2A0AB898D63DE5636F8858E69F1FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:38.492{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE2C037B5368213F7C21B843DEAC4F90,SHA256=9D9A708FEA538AE6DD418BF975D6FC522AC7D17F734FC7CB48CB6DC24B31ACB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:38.199{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2DBA-6227-5D05-000000003702}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:38.199{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:38.199{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:38.199{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:38.199{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:38.199{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:38.199{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:38.199{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:38.199{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:38.199{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:38.199{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2DBA-6227-5D05-000000003702}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:38.199{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2DBA-6227-5D05-000000003702}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:38.200{DCBFC465-2DBA-6227-5D05-000000003702}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:39.683{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D157F1E72FC9D7843D78CE5486A3B038,SHA256=50AF6C0B9A921AEDADFA9FFA13A7B716CD738BCB9DDEA514A58C14D631AC8266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:39.523{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61D97649FCBCA80F828F768E630DD43,SHA256=65A5DFA70641DF7D954579DE1F38340A0F14969AFCF0F532D1CFA8B65CBD75CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:39.199{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=681837E95CCB83903FB4851000233B04,SHA256=2ECF4D38DFEA269D03AE7D0E7BDF61E8BB742B6A4EC04EF9312F3AB438E02FF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:40.777{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A33755FD5FF7F6B6DC67DD8E58BC1BFA,SHA256=088D39D8587134BEACDC67814BDCAE2498AA614716B81B77A14447BA23DD4FAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:40.538{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D52C349C6F3070272A1546E3E0EBE223,SHA256=70CEEC5C00933D79E6F9C792A4BA77C0358DF2C8E95FF2A803E445D2E306C158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:41.964{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A870EA1F13CFCE743FB4016700C868,SHA256=3478734DAAD281E17237B259A3B65FAD9C0F38A6DA91A2446C7CACE9BD36EC4C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000034043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:41.906{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exeC:\Temp\reg_sim.bat2022-03-08 10:08:33.213 23542300x800000000000000034042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:41.890{C64CDE3E-292B-6227-FA06-000000003602}4996ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\reg_sim.batMD5=66958048EFF4EDFEA6574B48FB0EFCE8,SHA256=FBBADBA1FA09BDF0035CC16054B18B8EBD3A457DC7BD4C7A3B3B57AC6DB44A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:41.571{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A9CCC39E8524732750BCCEE5029216D,SHA256=3BEC6036DC76D18F486888194863E5774CAEC039CB8E780506C8B984EBC411A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:42.590{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D6DBC021EFACD6F87E34DC87FE7A287,SHA256=2BF140BC93879F530498A919C4E096D595289391D7FE9675E12A9501FA1A8E9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:39.373{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50383-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000034044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:39.751{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51057-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000034054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:43.674{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:43.674{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:43.674{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:43.674{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9207-000000003602}5660C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:43.674{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9207-000000003602}5660C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:43.674{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9207-000000003602}5660C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:43.674{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9207-000000003602}5660C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000034047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:40.019{C64CDE3E-1CE1-6227-0100-000000003602}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse193.118.55.162-38134-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local5985- 23542300x800000000000000034046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:43.590{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8A2496F8EE026798415B6F4A6E312BC,SHA256=005CBD1DD47AD30F03022B5D3CA66AD39787606347D9F67A20D2577664DD8B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:43.105{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22FA0A2E328686B083A32724C68BF322,SHA256=3860DCFD375EC78805AA592A2F735F1DF10F37CBB923597B6D7CAC201C5719FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:44.621{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4FDADCBE54BBA8EA406E66F42718EFD,SHA256=B1BA7E5670A1F3DB37D6BEC07BA0209AABC5079444064249F6DE17FBE050770F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:44.246{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5040288D3DBECF79C41E6B6B5988E1F4,SHA256=7FDA3485B7FDD7B0D34434175B277D3939E6A5450B08E4EF4E97768214142606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:44.183{DCBFC465-204C-6227-9900-000000003702}3048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:43.436{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50384-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000018057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:45.386{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92ED3DE1D1515DA6781752365EAFC8C3,SHA256=00F1A810D916141229EF351459C6D2D2B5A1CAB7C527B6DB144224A6B6CCB28B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:42.202{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-tcontreras-attack-range-462.attackrange.local53domainfalse127.0.0.1win-dc-tcontreras-attack-range-462.attackrange.local54229- 354300x800000000000000034058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:42.202{C64CDE3E-1CE6-6227-1400-000000003602}1068C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:be5:ffff:98e0:6323:81c8:ffff-54229-true7f00:1:8b74:2440:4885:ff48:8b7c:2448-53domain 354300x800000000000000034057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:42.172{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local54229- 23542300x800000000000000034056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:45.636{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C512C1667D4F96B54EAAFE5356307ECE,SHA256=450A3107E96CF1D7B131833AB592A4D2953A46FA9BEDDEDD1C73411DEA0CF719,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:44.420{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50385-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:46.496{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49CE172DC35DF4C61686AC3E7A62E925,SHA256=D94A81A1C207FDB425A6693371385AFA6951B0FF090BCCA6A4530341ACC25C8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:42.454{C64CDE3E-1CE6-6227-1400-000000003602}1068C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1win-dc-tcontreras-attack-range-462.attackrange.local54229-false127.0.0.1win-dc-tcontreras-attack-range-462.attackrange.local53domain 23542300x800000000000000034060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:46.651{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B39ACCCFF958E8498C8F2DF09391643A,SHA256=3AF3B1B2E1671B2F35537CD250B44E2E5D400AC597605019ADFD5D2077E612CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:47.500{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B3448A98459C13E96793C1A6691143B,SHA256=BFD87026058D2D37DC991A20A3D94C0CF531AAE815DFD3FB669804B5A8B4CF2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:44.752{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51058-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:47.669{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8727A47E66CFB525F34B3FC73ADE28A9,SHA256=FBCF1C11EBEFA03C412BBADB478EC1390F963C4E8E63A0D143465D40FA07EF3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:48.989{C64CDE3E-1CE4-6227-0B00-000000003602}612660C:\Windows\system32\lsass.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:48.989{C64CDE3E-1CE4-6227-0B00-000000003602}612660C:\Windows\system32\lsass.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:48.690{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C6B7DDF5BD65D19BA3FD35893ED13A4,SHA256=D598AD162B50A38002A3973A215CAA0C7AC86A22BAF14C30F3830DBF3A4F6113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:48.516{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A11C30555CC3606E8806BA77EF0C2DAC,SHA256=63A5CD8F3F2A01AAA780F3DB75D16340A08D70906F2B56C94C2046E448AF72DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:49.720{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D75657AE9EBB0C7B81964DE8BB0FB33C,SHA256=6657993EF21C629F090298C64CC7F83EBBCC6D3DD5FD3441104D77E28610CE82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:49.532{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DC2AD47A0475748EECD4F20E43EFCF,SHA256=9479A6E235F1AFA2E90816BC30604D162562B8B00E5205F573F3319696D60B5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:50.547{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8B6CA973E5525A30B3850FDDF0899BF,SHA256=27031326CDA8B9B7687FDE472A237F5ADB719A2AA47B8A3435D4061B9CAAF616,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.789{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.789{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.789{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.789{C64CDE3E-2011-6227-0B02-000000003602}6005036C:\Windows\system32\taskhostw.exe{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.789{C64CDE3E-2011-6227-0B02-000000003602}6005036C:\Windows\system32\taskhostw.exe{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.767{C64CDE3E-2013-6227-1602-000000003602}17405280C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.751{C64CDE3E-2013-6227-1602-000000003602}17405280C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.751{C64CDE3E-2013-6227-1602-000000003602}17405280C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.751{C64CDE3E-2013-6227-1602-000000003602}17405280C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.751{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.751{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.751{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.751{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.735{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B53E570FC907A2FF562EFCDC702A5C,SHA256=0C30A4681C28A7DC3E4BA2D10C8A9A69DEFD3B7429F414B1CE4A14BB6FD8AD61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.720{C64CDE3E-1CE6-6227-1600-000000003602}12964644C:\Windows\system32\svchost.exe{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.720{C64CDE3E-1CE6-6227-1600-000000003602}12961336C:\Windows\system32\svchost.exe{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.704{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.688{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.672{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.672{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.672{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.672{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.672{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.672{C64CDE3E-2013-6227-1602-000000003602}17404612C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a90ff|C:\Windows\System32\windows.storage.dll+a8d75|C:\Windows\System32\windows.storage.dll+a8866|C:\Windows\System32\windows.storage.dll+a9cd8|C:\Windows\System32\windows.storage.dll+a868e|C:\Windows\System32\windows.storage.dll+ab4a5|C:\Windows\System32\windows.storage.dll+ab824|C:\Windows\System32\windows.storage.dll+204ad4|C:\Windows\System32\windows.storage.dll+ad68a|C:\Windows\System32\windows.storage.dll+ad442|C:\Windows\System32\SHELL32.dll+3fa6d|C:\Windows\System32\SHELL32.dll+3e606|C:\Windows\System32\SHELL32.dll+80381|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHELL32.dll+1758c0|C:\Windows\System32\SHELL32.dll+17c35c|C:\Windows\System32\SHELL32.dll+19eb28|C:\Windows\System32\SHELL32.dll+17c4f6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x800000000000000034068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.679{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Temp"C:\Windows\system32\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000018065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:51.547{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=317A6E842318FDBDBB0F910FB5741A71,SHA256=54D696E9ECBEA788CD820BD657119557D4CDB402A8C304E0762D808F97834975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:51.735{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC672BD5F1A1456A8CC1DD5A55FD5BE,SHA256=20C2C1B53850837999842AA073BDD6F58A5F7CC884E6A4F25F91C82B381BC045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:51.704{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B672DA9569AC0FAC84CBE7407F562472,SHA256=8443C383E29414D4FCBCEA40B5066A4E816946E9B464E2BC6ADD32F57ADEDE56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:51.704{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=520BAE60971A915B4E78D87532E0D1D4,SHA256=4BB754B25766C93CE4FF4BFC3B5140CBA6AD8F7DC1CB8ADA51F241E49D1C64C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:52.904{C64CDE3E-1CE6-6227-1000-000000003602}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=81C87B2365ACE822E4B5B3A5DAD60927,SHA256=FB75FC240791B22B5CBD39A32FFD35F86BC149F473FD2718F6108446F68311DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:52.751{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7CFC090F134A5C5E696651B9929C97D,SHA256=C02B48AA720A44533BBC293BDB1F8FC6BA8929F84045917C29DAE45F04DDC650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:52.563{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0526C68ABA1ACBA172D89B0BC46D9B75,SHA256=60383AC7DC2B86B95907BC3119B234496AC7FA83E6DD26FC1A3F5D05A47F0034,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:50.331{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50386-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:53.563{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B794936BE78D6AF11183892FBEA46995,SHA256=9E21D73371E8A4472947B2E09CC2BE8729E238930E39EB6F247B1D1BD3DB5B29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:53.788{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA483E2B09B961FC02680A92F811E2B,SHA256=1AA5CCAFA762D3A56A45EDAAA2972AA09BF43E46D92F6455166384EA9C2C1D2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:54.579{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACAE69E63EBED5B656D66052AD988803,SHA256=5708D220167DB591ACD2F0D12527AB105DD4ACBF869BD39EC56F2E70E7F4222E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.834{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98026E7B43D7BA444F69792C051E35DE,SHA256=0A6AFA7272862C77C8E21AE8B26AA4EAF7E00C64BEA209378554CB089CA44FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.634{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44122F07C95FA304773311866C8CDF9E,SHA256=DA0096888F47DC92AD69F522E852F466D1B760F4EB4CB4F84887A80BB7A4DFFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.572{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DCA-6227-D607-000000003602}2228C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.570{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.570{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.569{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.569{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.569{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2DCA-6227-D607-000000003602}2228C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.569{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DCA-6227-D607-000000003602}2228C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.569{C64CDE3E-2DCA-6227-D607-000000003602}2228C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.519{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DCA-6227-D507-000000003602}1632C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.488{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2DCA-6227-D507-000000003602}1632C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.488{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DCA-6227-D507-000000003602}1632C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.488{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.488{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.488{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.488{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.499{C64CDE3E-2DCA-6227-D507-000000003602}1632C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.488{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DCA-6227-D407-000000003602}6276C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.488{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.488{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.472{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.472{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.472{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2DCA-6227-D407-000000003602}6276C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.472{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DCA-6227-D407-000000003602}6276C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.486{C64CDE3E-2DCA-6227-D407-000000003602}6276C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.472{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DCA-6227-D307-000000003602}6656C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.472{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.472{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.472{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.472{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.472{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2DCA-6227-D307-000000003602}6656C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.472{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DCA-6227-D307-000000003602}6656C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.477{C64CDE3E-2DCA-6227-D307-000000003602}6656C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.450{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DCA-6227-D207-000000003602}6076C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.450{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.450{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.450{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.450{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2DCA-6227-D207-000000003602}6076C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.450{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.450{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DCA-6227-D207-000000003602}6076C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.452{C64CDE3E-2DCA-6227-D207-000000003602}6076C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.419{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DCA-6227-D107-000000003602}5624C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.419{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.419{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.419{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.419{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.419{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2DCA-6227-D107-000000003602}5624C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.419{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DCA-6227-D107-000000003602}5624C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.421{C64CDE3E-2DCA-6227-D107-000000003602}5624C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.388{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DCA-6227-D007-000000003602}6460C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.388{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.388{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.388{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.388{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.388{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2DCA-6227-D007-000000003602}6460C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.388{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DCA-6227-D007-000000003602}6460C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.397{C64CDE3E-2DCA-6227-D007-000000003602}6460C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.388{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DCA-6227-CF07-000000003602}3204C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.388{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.372{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.372{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.372{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.372{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2DCA-6227-CF07-000000003602}3204C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.372{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DCA-6227-CF07-000000003602}3204C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:54.386{C64CDE3E-2DCA-6227-CF07-000000003602}3204C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 354300x800000000000000034099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:50.751{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51059-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:55.594{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3004B888764CCB42BA934DA6EDB9336E,SHA256=2B2B02C294FCD30BC2F9F36026857884C386659CC9939CD9A907756551FEE891,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.949{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DCB-6227-D907-000000003602}3880C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.949{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.949{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.949{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.949{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.949{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2DCB-6227-D907-000000003602}3880C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.949{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DCB-6227-D907-000000003602}3880C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.952{C64CDE3E-2DCB-6227-D907-000000003602}3880C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.918{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DCB-6227-D807-000000003602}2504C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.918{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.918{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.918{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.918{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.918{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2DCB-6227-D807-000000003602}2504C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.918{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DCB-6227-D807-000000003602}2504C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.921{C64CDE3E-2DCB-6227-D807-000000003602}2504C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.886{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DCB-6227-D707-000000003602}4964C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.886{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.886{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.886{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.886{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2DCB-6227-D707-000000003602}4964C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.886{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.886{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DCB-6227-D707-000000003602}4964C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.898{C64CDE3E-2DCB-6227-D707-000000003602}4964C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000034167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.849{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BADE4E0ABD2A599D8F61964C652C1A75,SHA256=9AB61E1C455AD1797B4003481EBE1E6C4AC8731108398317BF9C9163A2BFE289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.387{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B672DA9569AC0FAC84CBE7407F562472,SHA256=8443C383E29414D4FCBCEA40B5066A4E816946E9B464E2BC6ADD32F57ADEDE56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:56.750{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDBF7FECC8511124854E9F279BCFF507,SHA256=07900A432C6B67D5BBF9F8B4D41BD852A6C7E0F16194FDDFE8D4C4D6FFD1FE52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.919{C64CDE3E-1CF7-6227-2B00-000000003602}2896NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.903{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C44E8FD8B3833BCBE571EF46FC6332FE,SHA256=94A94D80AADC1ADED2B7CA8B708375129231411A794C77BA94A3B6907F92A370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.866{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290CE061993A7932AC7D31635F9FC462,SHA256=B14E64D6FE328B502001C190B31F921DBC5E95C30F2D84E7D0EC89B51612A1D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.550{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A698400A5F2690876C4484EBBB928D65,SHA256=D7D93E982B9CDE5F418BA1EA43D4F6DB79D29D68576868A9DDE99B3F96E35FCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.402{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DCC-6227-DE07-000000003602}4352C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.402{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.402{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.402{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.402{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.402{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2DCC-6227-DE07-000000003602}4352C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.402{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DCC-6227-DE07-000000003602}4352C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.404{C64CDE3E-2DCC-6227-DE07-000000003602}4352C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v shutdownwithoutlogon /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.349{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DCC-6227-DD07-000000003602}5332C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.333{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.333{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.333{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.333{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.333{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2DCC-6227-DD07-000000003602}5332C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.333{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DCC-6227-DD07-000000003602}5332C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.346{C64CDE3E-2DCC-6227-DD07-000000003602}5332C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.302{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}7156C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.302{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.302{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.302{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.302{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.302{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}7156C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.302{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{00000000-0000-0000-0000-000000000000}7156C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.303{C64CDE3E-2DCC-6227-DC07-000000003602}7156C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.264{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DCC-6227-DB07-000000003602}6916C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.217{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.217{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.217{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.217{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.217{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2DCC-6227-DB07-000000003602}6916C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.217{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DCC-6227-DB07-000000003602}6916C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.219{C64CDE3E-2DCC-6227-DB07-000000003602}6916C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.102{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DCC-6227-DA07-000000003602}6976C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.049{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.049{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.049{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.049{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.049{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2DCC-6227-DA07-000000003602}6976C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.049{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DCC-6227-DA07-000000003602}6976C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.057{C64CDE3E-2DCC-6227-DA07-000000003602}6976C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000018073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:57.969{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26562FC60EDDF8E4746FAEB327563186,SHA256=96572711E78FAC835F95FD0F968B832F4D7E6A95D77A44E47BDF3BA76248D261,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:55.347{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50387-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000034266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.635{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:57.284{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\respondent-20220308090810-069MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:58.283{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\surveyor-20220308090808-070MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:55.484{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51060-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000034267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:58.035{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=181FBFC3D81AB388A4EA0B853B32D17B,SHA256=E898F669BFB01BEDB95A15472D3101365E0CADC330FFD39AC9E9926BF4EB7463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:19:59.157{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC7ED4A2C5A7C28F99A7263331DC90E,SHA256=8EDD3234765A1735EAFA2F9C1835679A5558ABF784710CB6E579B8CC709CB3D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:59.050{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D06BEF5BD8AF917A130F54016EE0D2E,SHA256=11BE51EDBFB0CB2C6E3D4A51859E5CF2652722AD63A4210ECC3333128D5B73B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:00.297{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B10FF4C27885F95089B5CB1CAB2ABD9,SHA256=6762D6E811890D4974CA9F417C417C8B4E202F667CDF3CB1D24A50A55247C3F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:00.465{C64CDE3E-1CE6-6227-0D00-000000003602}8841404C:\Windows\system32\svchost.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000034272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:19:56.762{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51061-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:00.065{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1509E3901C98FE93908FCB5B3084E3EE,SHA256=F0A4830B550FE388BB84F24E3AFBDFA300DE59CF20462D15DF16CC106FE8361D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:01.438{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2ED43D53272A5A3689CB49F86C8AF2,SHA256=421235FD7E3F2ADA31E9C56A2C635B71A8530D7CCD36B7A3D6B041E2B2AD6ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:01.066{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A3CFED2862D83ED79EC197C86BCD7C,SHA256=498888AF99FBE49EBEAF3FF0164DF72A1086FA98511BF484480EE4531864B702,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:00.491{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50388-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:02.563{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5ECF34392D815A80E6CD69622372E5D,SHA256=D757EC75A15153E7D814404F3DE303102DB1C0A5B94D3D18E4C0B38FA51B8116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:02.085{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC29D2EA4FF578910F64426738CE2100,SHA256=6981E8153C5F5D20DA1D99C46AB0C17330D07D9666F2F4DDB93630071552B749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:03.594{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1F9F657EB26582154E35BEF39283645,SHA256=4A0ECBA029B1179B76956A9B3D1164252FB3C154650B8CE6FF0028FB3720E9BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:03.103{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8378810A77C37F28422EB5FAC697EC2F,SHA256=6C196084229DD8ADAA82DCA3C73A7D6BA607593C8C0FA6F59F7E08649499B605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:04.632{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\respondent-20220308092036-057MD5=AD989BA5FC8211C68DEB145594DF29B5,SHA256=A92C9E9F939B5FA1DAF2D9D45D4066E44A16133766F98754DF452EC8E38921ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:04.631{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C38492D26D27FEDC0A32388190A20C8E,SHA256=BFC3D13AEC2FB3F54AA912F4B44610C35B5323E3284D1B35F69F2C16D2C28E6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:04.106{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606BFCDCC59ABAFCD14940B54F9B99F3,SHA256=2087F718127E08C176398615C085770F20CD9FA9A3FC5D671BDB591300834244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:05.660{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CCFB2AD4E1A8F9D977DF34EB20A3538,SHA256=F2F0FEBA23918077695E033E61863A703FD6FAC29C3F40CCBB6007D71C61537B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:05.110{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4191F196B4745F86A9CC114ADA71EF0B,SHA256=9996022C3BCABD60760551078BB4A0BC1AFF284CFB425392961C08B05167DCB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:05.632{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\surveyor-20220308092033-058MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:06.676{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA41F510C321945333F18C5CB01CA3F,SHA256=7AB665F23F73F67817B659AD824B802C76A6E062C611FC7B5537161BCB55CE9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:02.732{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51062-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:06.125{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758099B8E3BB7C3CA2DEEC36F5BF5E6E,SHA256=12B7D47C9DA97FD74EBB0786874C60C69742752364CA54848ACC1D67DA8E7980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:07.692{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E22630D92596356FDE00E74DDDB8845,SHA256=D700C0BAD9A82DF45A01624E5B740E82578A5B9920BC2253A0BEE3D7C5B32D7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:07.125{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B883DD4AF79D3EB15DB3D409755D23C6,SHA256=F25D523A437172291FE992D7E624ED8B50CED83F3661D31BF7DCB0484505A38B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:08.708{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D621756D70FEB2FA5C0DEF74B709E3B2,SHA256=111D38DD46249573940763FFBFB6730BADC88B6C1F79BC107B6DB3EEAB5E9EC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:08.141{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F94433ED681727F3B7EF3738C049E92B,SHA256=CD9DDDC8F152B1D10E168DD46FD94E3831F5C86B820FC997F2767FCD86C43EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:09.723{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7887EA1679EB6EA7032F9ABB9CEFC3F2,SHA256=D79D7B388A68E83A1B4BEEB6F80DA19DFD5264505BAFD229555B6A0CC3ED9737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:09.141{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AB97242D27F7A55354053758A0A09D0,SHA256=C1AF6E68EDAF2E9B9630767D757BED24F924B3F93CF483A680C3560FAA328562,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:06.351{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50389-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:10.723{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69547D63A831F4CA8854229826EA6D54,SHA256=EE3EC1369D3A55E2C1E051643859915395FE30530341ED48FF0CC92FBC9B6DAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:10.609{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\glean\db\data.safe.binMD5=9505B208071449D05A113B76598B32AF,SHA256=9567657BF6A5614CA808D524C450A07076B1AAEEC49EA8D4155397033BD648A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:10.172{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95618709374A41AD9F62CCB14708BA6,SHA256=F52A0E99E6F7F46914227A2D94B2CA8BEB9CF15FE93E03532124CE4A29B9E02B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:11.770{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8AD16AE6966EC29BBE0674E4F2D84B2,SHA256=D37420AED46F0C07E07FD1BDFA78C4DE1735FBEDEC5ABD88ACCF93F0758BCAEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:08.636{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51063-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:11.190{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E085F0D4C1DD4125A056086605C0B721,SHA256=5EA76BF1CA02505BF94704D62D5740E9C070A1D4C2373E31AF4CDD0909EE6C40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:12.770{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDD01898512654AF60049B4FF8B6A7D1,SHA256=21E459E9FBC909B4C3FBFDE1D19FBF58B856C8B9568A50D125344F536D78DFF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:12.992{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:12.992{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:12.992{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:12.992{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:12.992{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:12.439{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CE6-6227-1500-000000003602}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:12.439{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CE6-6227-1500-000000003602}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:12.439{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CE6-6227-1500-000000003602}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:12.208{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C4F53202D1D416B9183941E7409C06,SHA256=49E7689227A681CCC4C97A6464563A94D298D73FB19ED5D22365D0965CB395AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:13.786{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E461216A6DFD362478545CA99A15891A,SHA256=F952AED47A6E825C37FD4F3CF6EA002C6D8BDA634BE7073403E90F4E2C75D9FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.792{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DDD-6227-E307-000000003602}5168C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.792{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.792{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.792{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.792{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.792{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2DDD-6227-E307-000000003602}5168C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.792{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DDD-6227-E307-000000003602}5168C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.795{C64CDE3E-2DDD-6227-E307-000000003602}5168C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.770{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DDD-6227-E207-000000003602}6320C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.754{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.754{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.754{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.754{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.754{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2DDD-6227-E207-000000003602}6320C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.754{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DDD-6227-E207-000000003602}6320C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.766{C64CDE3E-2DDD-6227-E207-000000003602}6320C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.739{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DDD-6227-E107-000000003602}6124C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.739{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.739{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.739{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.739{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.739{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2DDD-6227-E107-000000003602}6124C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.739{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DDD-6227-E107-000000003602}6124C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.744{C64CDE3E-2DDD-6227-E107-000000003602}6124C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000034317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.localT1089,Tamper-SecCenterSetValue2022-03-08 10:20:13.723{C64CDE3E-2DDD-6227-E007-000000003602}5096C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealthDWORD (0x00000001) 10341000x800000000000000034316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.723{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DDD-6227-E007-000000003602}5096C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.723{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.723{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.723{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.723{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.723{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2DDD-6227-E007-000000003602}5096C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.707{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DDD-6227-E007-000000003602}5096C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.722{C64CDE3E-2DDD-6227-E007-000000003602}5096C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.707{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DDD-6227-DF07-000000003602}5676C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.707{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.707{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.707{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.707{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.707{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2DDD-6227-DF07-000000003602}5676C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.692{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DDD-6227-DF07-000000003602}5676C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.707{C64CDE3E-2DDD-6227-DF07-000000003602}5676C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000034300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.454{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\aborted-session-pingMD5=669CFDBD57CD23A561160F3260424246,SHA256=8CD32DD45FFCE3A200257F17D369DD93F35A563EED1953DED4C8C6E2E7CA96F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.223{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED0DA176DCFBE1D175B1E87FE9395947,SHA256=DE95DF6488EA0465D985F4E08D58AC6E92E026901E987E1F83376A843E6627FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:12.992{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:12.992{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:14.832{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=500453026FE43EA4720DCD1B383FAB4F,SHA256=ED342959FE084CBCAB3C6C34730BD09B567B5E1F1538B3BE421603547B7AA7DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:14.724{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4C21B81B0CF8820F596FEF968C7BF6F,SHA256=822E2D525568F21501CF452E55FB378B947F4817EB6EA8A01A1DCBDF7F589F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:14.724{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B2F5436E3086B0862B2E71080204F0C,SHA256=0BA335D513DFD02E856A65C70EF51841A73E69F02A9826464C46604AD8E76FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:14.488{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=761594F163068E45CA2CFEE8B0A6C2F5,SHA256=6EBE05FA5A6A2E9076CF6A170058721D3F25DAF19A17574091C141A637545C79,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:11.350{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50390-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:15.864{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=119B7AED6F15FAAF08093A717155B31A,SHA256=667BB9CC27E5A6B8F74C69C926E476E24AEF8D5B45D19DD0CFDED87574E862DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:15.908{C64CDE3E-2013-6227-1602-000000003602}17405360C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801508D8FD8)|UNKNOWN(FFFFF994344A5B68)|UNKNOWN(FFFFF994344A5CE7)|UNKNOWN(FFFFF994344A0371)|UNKNOWN(FFFFF994344A1D3A)|UNKNOWN(FFFFF9943449FFF6)|UNKNOWN(FFFFF801505F0503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000034347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:15.908{C64CDE3E-2013-6227-1602-000000003602}17405360C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801508D8FD8)|UNKNOWN(FFFFF994344A5B68)|UNKNOWN(FFFFF994344A5CE7)|UNKNOWN(FFFFF994344A0371)|UNKNOWN(FFFFF994344A1D3A)|UNKNOWN(FFFFF9943449FFF6)|UNKNOWN(FFFFF801505F0503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:15.908{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF4260fb.TMPMD5=847FF2A64311A111F9C46697989BEF76,SHA256=E334D2C69DEDC04CD4D70803894D1FCB59BA771169046B5DEDA16196007ACB6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:15.555{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4631D99E1C69FD41FC09786302425E,SHA256=52D24B538A88EB3A79B14AFEF6D02957CF30B08F035C6F17787F4759A5829E26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:16.989{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CCF74A86BC68EFA625216C090A9FDC7,SHA256=D900D15C981D7D76393A0F5916A33AF48E27FD268ADF5E7DBAA2D9CD3625CD4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:16.590{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0481B2CC077D5AF9E302982D57EC591F,SHA256=A483E7A3548B438DF1C05650D7254D4EA2819CCE03EEE377786A546FC8385FC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:17.607{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EFA759F41EA38402A4C7F05773FF42E,SHA256=66E45B3660D57474244C5ADE70EA4FFF0B28EDD25DE9B30BB172EE591E3BB7E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:13.765{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51064-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:18.622{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13DC84724F4F1CD4DEFE23A28952A20E,SHA256=7282C348F91472ECB90B326FA72C562678A49977A5587467CE5D94CB28F8BBCE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:16.430{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50391-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:18.145{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7657EF194685E8BB078D30B37C518798,SHA256=FE2CE94BE43045D2D6378A9955334F2D68820EE3F79E0E777E613A6F1F7CEB3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:19.689{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F19FDEF34D344883DEDD86B10A6A6F52,SHA256=BE4B428E946A7C46F69E4D7DE1B086464E5D85660D219FC332017CA1661D2DD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:19.270{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E1AF97855FC5DFBF3F55F2B39A028D7,SHA256=20E68C5C17FDECA7371B5B02732F18A84260DA52F1D9CF0B2FB32F70C9E96110,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:19.491{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:19.491{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:19.491{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:19.491{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:19.491{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:19.491{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:19.491{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:20.411{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB513A5171CE9A3F8E3375A4066A650D,SHA256=5466CC42BBCE7AB8AF7F33CBFC725AE36142BA2342FA291A144630DA5D1FE4B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.524{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2DE4-6227-E907-000000003602}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.524{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.524{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.524{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.524{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.524{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2DE4-6227-E907-000000003602}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.524{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2DE4-6227-E907-000000003602}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.526{C64CDE3E-2DE4-6227-E907-000000003602}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000034401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.493{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DE4-6227-E807-000000003602}5572C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.458{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2DE4-6227-E807-000000003602}5572C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.458{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.458{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.458{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DE4-6227-E807-000000003602}5572C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.458{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.458{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.461{C64CDE3E-2DE4-6227-E807-000000003602}5572C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.411{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DE4-6227-E707-000000003602}584C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.395{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.395{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.395{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.395{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.395{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2DE4-6227-E707-000000003602}584C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.395{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DE4-6227-E707-000000003602}584C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.406{C64CDE3E-2DE4-6227-E707-000000003602}584C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.356{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DE4-6227-E607-000000003602}312C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.356{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.356{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.356{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.356{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.356{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2DE4-6227-E607-000000003602}312C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.356{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DE4-6227-E607-000000003602}312C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.363{C64CDE3E-2DE4-6227-E607-000000003602}312C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 12241200x800000000000000034377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.localT1089,Tamper-SecCenterDeleteValue2022-03-08 10:20:20.324{C64CDE3E-2DE4-6227-E507-000000003602}4552C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth 10341000x800000000000000034376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.324{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DE4-6227-E507-000000003602}4552C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.324{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.324{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.324{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.324{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2DE4-6227-E507-000000003602}4552C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.324{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.309{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DE4-6227-E507-000000003602}4552C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.323{C64CDE3E-2DE4-6227-E507-000000003602}4552C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.269{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DE4-6227-E407-000000003602}3112C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.269{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.269{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.269{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.269{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.269{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2DE4-6227-E407-000000003602}3112C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.269{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DE4-6227-E407-000000003602}3112C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:20.278{C64CDE3E-2DE4-6227-E407-000000003602}3112C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000018101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:21.551{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36E119134758BCA3CD932ABCA3079424,SHA256=0542C0F15900967050BBC577A3EBE6CD305E87A5DAECA7A7EABC1E8B45B149D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:21.341{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D09C7119214006AFBF95B7E41213016,SHA256=8BAE254655447CA32CD8ABD3161C52D946485092E23E23BF558EE7B8279E867F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:21.341{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4C21B81B0CF8820F596FEF968C7BF6F,SHA256=822E2D525568F21501CF452E55FB378B947F4817EB6EA8A01A1DCBDF7F589F03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:21.272{C64CDE3E-2DE5-6227-EA07-000000003602}53644584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:21.072{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6CF8485531519A01E1826EC96D0600E,SHA256=9171D648F384A782CB498B67FE7F78B4155556C8C13774D85E2BF8ED9C386F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:21.072{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA614F43D0C4AE315CE0421B46DD0A9E,SHA256=7C97B99CBAFF02315106EE6FFACD1AC684B429FE2764BDCE5C62C3F3945C1D10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:21.026{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2DE5-6227-EA07-000000003602}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:21.026{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:21.026{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:21.026{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:21.026{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:21.026{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2DE5-6227-EA07-000000003602}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:21.026{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2DE5-6227-EA07-000000003602}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:21.027{C64CDE3E-2DE5-6227-EA07-000000003602}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:22.598{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1CF3D031E70F0CB4890D18854F3093,SHA256=C90A5814E1E704C011E9ABAFD629BF921FD7AD2545EAD1D2392BDF6D70B67602,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:22.641{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2DE6-6227-EB07-000000003602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:22.641{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:22.641{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:22.641{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:22.641{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:22.641{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2DE6-6227-EB07-000000003602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:22.641{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2DE6-6227-EB07-000000003602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:22.642{C64CDE3E-2DE6-6227-EB07-000000003602}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:22.056{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A692EA6C0F45038B51EC4B1ED5F635FB,SHA256=6EFEDF8D6C171A99C8BA1F88238011EB1C538D30D089FA13B91390DA79458AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:23.598{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8972ADA7F869EDFDFC344BB2F02497C1,SHA256=FABFECC3284F24149999E58371CD6F7405D1C3E985B20345CD2934A587BC40BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:23.642{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D09C7119214006AFBF95B7E41213016,SHA256=8BAE254655447CA32CD8ABD3161C52D946485092E23E23BF558EE7B8279E867F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:23.626{C64CDE3E-2DE7-6227-EC07-000000003602}61522436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000034441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:19.752{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51065-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000034440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:23.427{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2DE7-6227-EC07-000000003602}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:23.423{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2DE7-6227-EC07-000000003602}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:23.423{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:23.423{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:23.423{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:23.423{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:23.422{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2DE7-6227-EC07-000000003602}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:23.422{C64CDE3E-2DE7-6227-EC07-000000003602}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:23.074{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A5D533D176FC47E20E681D333BC8E1,SHA256=EC3A62CFFC97FADC93149D1E67187649DBADBF30C0D8DF880FEC819A67ECB29D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:24.772{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FDDFE83690B9EBE175073E95DF19F4A,SHA256=EDE8A2A35BA924102D05D3DE6E5385CD506EC0AA952AB5006A075200A018A6F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:22.397{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50392-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000034453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:21.752{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51066-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000034452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:21.752{C64CDE3E-1CF7-6227-2800-000000003602}2856C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51066-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 10341000x800000000000000034451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:24.305{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:24.305{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:24.305{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:24.305{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:24.305{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:24.305{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:24.305{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:24.126{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA0E8A933968101D4DB8E098D68A9D0,SHA256=3952BA73ECD00B1636C94D5D78D3F7CBFBA5E6972D732B9C89CDA9126403E3CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:25.848{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=927304266D5B031C7A4BF2D6E80BA367,SHA256=6DFAEBCC0D27461CD9C7F30605920541C40C5B357E82BF45ACAAC748F7DB9F44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.441{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E7E05B811045DAAFC07F41D1F97DB0,SHA256=D5BD0A0E24470D5DA670D26A732C1144011469250F44F528A0B4B0C7F615CF88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.404{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DE9-6227-F307-000000003602}5464C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.388{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.388{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.388{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.388{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.388{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2DE9-6227-F307-000000003602}5464C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.388{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DE9-6227-F307-000000003602}5464C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.399{C64CDE3E-2DE9-6227-F307-000000003602}5464C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /t REG_DWORD /d 1 C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.388{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DE9-6227-F207-000000003602}4476C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.372{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.372{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.372{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.372{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.372{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2DE9-6227-F207-000000003602}4476C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.372{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DE9-6227-F207-000000003602}4476C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.386{C64CDE3E-2DE9-6227-F207-000000003602}4476C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoThemesTab /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.357{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DE9-6227-F107-000000003602}5552C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.357{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.357{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.357{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.357{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.357{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2DE9-6227-F107-000000003602}5552C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.357{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DE9-6227-F107-000000003602}5552C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.368{C64CDE3E-2DE9-6227-F107-000000003602}5552C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v TaskbarLockAll /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.325{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DE9-6227-F007-000000003602}560C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.325{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.325{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.325{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.325{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.325{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2DE9-6227-F007-000000003602}560C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.325{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DE9-6227-F007-000000003602}560C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.332{C64CDE3E-2DE9-6227-F007-000000003602}560C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.322{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DE9-6227-EF07-000000003602}6852C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.320{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.319{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.319{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.319{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.304{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2DE9-6227-EF07-000000003602}6852C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.304{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DE9-6227-EF07-000000003602}6852C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.318{C64CDE3E-2DE9-6227-EF07-000000003602}6852C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.304{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DE9-6227-EE07-000000003602}5444C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.304{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.304{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.304{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.304{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.304{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2DE9-6227-EE07-000000003602}5444C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.304{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DE9-6227-EE07-000000003602}5444C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.304{C64CDE3E-2DE9-6227-EE07-000000003602}5444C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 0 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.288{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DE9-6227-ED07-000000003602}5916C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.288{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.288{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.288{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.288{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.288{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2DE9-6227-ED07-000000003602}5916C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.288{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DE9-6227-ED07-000000003602}5916C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.292{C64CDE3E-2DE9-6227-ED07-000000003602}5916C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000034454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.157{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE604B8B4F1D2E484E86728480102DCF,SHA256=6AE64F7CA479BCE6AE226D2872AB63063654FA5CB8BD40CEBB63A1A3B2D91AD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:26.852{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4960157C263B560D78724C452E131A46,SHA256=BDE42DE538505C5B196FC820D36153C7E95C87905A183E31B9FD9106F104B90B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:26.864{C64CDE3E-2DEA-6227-F507-000000003602}51806656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:26.679{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2DEA-6227-F507-000000003602}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:26.679{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:26.679{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:26.679{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:26.679{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:26.679{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2DEA-6227-F507-000000003602}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:26.679{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2DEA-6227-F507-000000003602}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:26.680{C64CDE3E-2DEA-6227-F507-000000003602}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000034522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:26.445{C64CDE3E-2DEA-6227-F407-000000003602}42525576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:26.332{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90031C1E321F293718717722BD521A55,SHA256=5F5A5D7A9BBCC435E8D787AD8115B5DAFE8B2505CA3FCA5846A5A6E5A6B01884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:26.172{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC2E6A06343F969A1444C3083F5B3BD,SHA256=71A189A9C6FE18674E046D04D21774ADB8D8337A1F873DD10E13FF8FAE198157,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:26.172{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2DEA-6227-F407-000000003602}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:26.172{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:26.172{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:26.172{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:26.172{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:26.172{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2DEA-6227-F407-000000003602}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:26.172{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2DEA-6227-F407-000000003602}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:26.172{C64CDE3E-2DEA-6227-F407-000000003602}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:27.852{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D7ECBD9107CDBCEF5F78410415561C9,SHA256=F5D223F318BC96BF8AD3FFDD3E2EBFD7238C7435B465624C22C1CA6F87DB6789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:27.710{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F195188319007FE4C96E894D27129308,SHA256=C7DD1419C055D9638D680AC85A0E0883688A0F8188E5B2D0C1204C48A0F1B847,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:27.279{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2DEB-6227-F607-000000003602}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:27.279{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:27.279{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:27.279{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:27.279{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:27.279{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2DEB-6227-F607-000000003602}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:27.279{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2DEB-6227-F607-000000003602}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:27.281{C64CDE3E-2DEB-6227-F607-000000003602}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:27.179{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59855F69C067C537957370423A915066,SHA256=E0EAEA981D202CAEA7E8212A5B1E53F9CC8D82A92495F5E148C94EF7FF237F2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:28.852{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F87E2FED7402ED76631BC0813B6D86,SHA256=767BBEC7936AD4753D4D6C580057D545E4054742081AAA988C82816949DC8947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:28.210{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC49672FEFFCD2452C691634DD00DBF,SHA256=2A0058FDC851981E3139B3A71D87DE07EE25F1041CE9CADBDF211DF1E23A9D5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:29.868{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=736244B5679256333144846C6D5D7FF2,SHA256=CDDBA7BAB77D84363E2A03C100D2956F40FCB0C0F26C1E8A0BFBCEE5590669E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:25.757{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51067-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:29.212{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80645FFE262B80029EC63EADDA6EDCBB,SHA256=35FF1B718F1E778B264BCBB2F9BD80ADFF390620E66A9C93C4803A9DC0B00DF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:30.883{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3CCDD504902D2E57AA464730F27B570,SHA256=BD7F009CA0911056E496C48FBAE3769D79CE4561CB5F90E54F82D266E0360FD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.963{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DEE-6227-FD07-000000003602}7112C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.963{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.963{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.963{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.963{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.963{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2DEE-6227-FD07-000000003602}7112C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.963{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DEE-6227-FD07-000000003602}7112C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.964{C64CDE3E-2DEE-6227-FD07-000000003602}7112C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.942{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DEE-6227-FC07-000000003602}7156C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.926{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000018111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:27.495{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50393-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000034592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.926{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.926{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.926{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.926{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2DEE-6227-FC07-000000003602}7156C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.926{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DEE-6227-FC07-000000003602}7156C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.937{C64CDE3E-2DEE-6227-FC07-000000003602}7156C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoThemesTab /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.910{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DEE-6227-FB07-000000003602}4896C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.895{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.895{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.895{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.895{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2DEE-6227-FB07-000000003602}4896C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.895{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.895{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DEE-6227-FB07-000000003602}4896C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.907{C64CDE3E-2DEE-6227-FB07-000000003602}4896C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v TaskbarLockAll /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.879{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DEE-6227-FA07-000000003602}7012C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.879{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.879{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.879{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.879{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.879{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2DEE-6227-FA07-000000003602}7012C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.864{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DEE-6227-FA07-000000003602}7012C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.879{C64CDE3E-2DEE-6227-FA07-000000003602}7012C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.863{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DEE-6227-F907-000000003602}3924C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.842{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.842{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.842{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.842{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2DEE-6227-F907-000000003602}3924C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.842{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.842{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DEE-6227-F907-000000003602}3924C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.856{C64CDE3E-2DEE-6227-F907-000000003602}3924C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.826{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DEE-6227-F807-000000003602}5232C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.826{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.826{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.826{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.826{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.826{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2DEE-6227-F807-000000003602}5232C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.826{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DEE-6227-F807-000000003602}5232C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.831{C64CDE3E-2DEE-6227-F807-000000003602}5232C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.811{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DEE-6227-F707-000000003602}4740C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.811{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.811{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.811{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.811{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.811{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2DEE-6227-F707-000000003602}4740C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.811{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DEE-6227-F707-000000003602}4740C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.816{C64CDE3E-2DEE-6227-F707-000000003602}4740C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000034546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.411{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\glean\db\data.safe.binMD5=BA6310B9FC7C8440DDBAA6EAC041835C,SHA256=FC077D1294B9F57DE4859D6ADF08F2D52DB8024F5C59097E32521DB84042322F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:30.227{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2474922FD82EB1A94384212E0828FC,SHA256=B313778B5A099DC120B36FD4EA702963C07DACA1933E3C60BD10523079D08C1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:31.883{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1099113CB3EC5A1D78C5EE5CA6B54EB2,SHA256=16647A6E1EEB128B8753FE51E461B787C750AE303494B7C1D791364CCCF054F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:31.826{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D92F827CCFC3C4C458AD09A1B92398F4,SHA256=27F61816186FED423DCB2C9C234A38773DBF7D1A8B5957D85CCF76EA14E91188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:31.242{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE30430E33B800F561DF0A6CC744A86,SHA256=9953F7E6F5E72C4F9ED86D8CDFEB047EAD06222AFC21BEEDA31D8B53D8FEE63C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:31.079{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DCF52140C7F5E3B1C290ED74D017512,SHA256=A023C3D2373BD88EA571A8F4EC41BF981A8D35C24371ED0C530AED913A1031C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:32.883{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D06CF180183BFDE095BE63B88DCD81,SHA256=524E556E81A43DD3C5E35832182BA1772CB96986A854252572E1AF853BD1F857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:32.259{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C83F9CF5D5B7E1B354355BC97F6EC5C5,SHA256=B2C76734E13E22ECA4C2F7F71E02E61D128A4974B86C39B05F3F10E76E5B5608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.601{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE22E87936E43D73FD90CABA866CD850,SHA256=D251439E828C98860DA5186774F480CF57008403206996EED509C92FFFD253A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.278{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DF1-6227-0208-000000003602}6740C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.278{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.278{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.278{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.278{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.278{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2DF1-6227-0208-000000003602}6740C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.278{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DF1-6227-0208-000000003602}6740C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.288{C64CDE3E-2DF1-6227-0208-000000003602}6740C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoColorChoice /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000018156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.852{DCBFC465-2DF1-6227-5F05-000000003702}34443664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.571{DCBFC465-1FDE-6227-0B00-000000003702}6161804C:\Windows\system32\lsass.exe{DCBFC465-1FE0-6227-1600-000000003702}1176C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.571{DCBFC465-1FDE-6227-0B00-000000003702}6161804C:\Windows\system32\lsass.exe{DCBFC465-1FE0-6227-1600-000000003702}1176C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.571{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.571{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2DF1-6227-5F05-000000003702}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.571{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.571{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.571{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.571{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.571{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.571{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.571{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.571{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.571{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2DF1-6227-5F05-000000003702}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.571{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2DF1-6227-5F05-000000003702}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.572{DCBFC465-2DF1-6227-5F05-000000003702}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000018140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-SetValue2022-03-08 10:20:33.571{DCBFC465-1FE0-6227-1200-000000003702}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c0d7d716-088d-489a-b516-abd1049c6925}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000018139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-SetValue2022-03-08 10:20:33.571{DCBFC465-1FE0-6227-1200-000000003702}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c0d7d716-088d-489a-b516-abd1049c6925}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000018138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-SetValue2022-03-08 10:20:33.571{DCBFC465-1FE0-6227-1200-000000003702}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c0d7d716-088d-489a-b516-abd1049c6925}\AddressTypeDWORD (0x00000000) 13241300x800000000000000018137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-SetValue2022-03-08 10:20:33.571{DCBFC465-1FE0-6227-1200-000000003702}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c0d7d716-088d-489a-b516-abd1049c6925}\LeaseTerminatesTimeDWORD (0x62273c01) 13241300x800000000000000018136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-SetValue2022-03-08 10:20:33.571{DCBFC465-1FE0-6227-1200-000000003702}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c0d7d716-088d-489a-b516-abd1049c6925}\T2DWORD (0x62273a3f) 13241300x800000000000000018135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-SetValue2022-03-08 10:20:33.571{DCBFC465-1FE0-6227-1200-000000003702}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c0d7d716-088d-489a-b516-abd1049c6925}\T1DWORD (0x622734f9) 13241300x800000000000000018134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-SetValue2022-03-08 10:20:33.571{DCBFC465-1FE0-6227-1200-000000003702}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c0d7d716-088d-489a-b516-abd1049c6925}\LeaseObtainedTimeDWORD (0x62272df1) 13241300x800000000000000018133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-SetValue2022-03-08 10:20:33.571{DCBFC465-1FE0-6227-1200-000000003702}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c0d7d716-088d-489a-b516-abd1049c6925}\LeaseDWORD (0x00000e10) 13241300x800000000000000018132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-SetValue2022-03-08 10:20:33.571{DCBFC465-1FE0-6227-1200-000000003702}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c0d7d716-088d-489a-b516-abd1049c6925}\DhcpServer10.0.1.1 13241300x800000000000000018131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-SetValue2022-03-08 10:20:33.571{DCBFC465-1FE0-6227-1200-000000003702}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c0d7d716-088d-489a-b516-abd1049c6925}\DhcpSubnetMask255.255.255.0 13241300x800000000000000018130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-SetValue2022-03-08 10:20:33.571{DCBFC465-1FE0-6227-1200-000000003702}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c0d7d716-088d-489a-b516-abd1049c6925}\DhcpIPAddress10.0.1.15 13241300x800000000000000018129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-SetValue2022-03-08 10:20:33.571{DCBFC465-1FE0-6227-1200-000000003702}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c0d7d716-088d-489a-b516-abd1049c6925}\DhcpInterfaceOptionsBinary Data 23542300x800000000000000018128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.540{DCBFC465-1FE0-6227-1200-000000003702}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6ACA8C6C05C713F51C95391A16C903E3,SHA256=8FD6A7382CBC55C21ED4D16EF77211C324D5899211199FF7E69421301A0139D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.071{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2DF1-6227-5E05-000000003702}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.071{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.071{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.071{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.071{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.071{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.071{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.071{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.071{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.071{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.071{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2DF1-6227-5E05-000000003702}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.071{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2DF1-6227-5E05-000000003702}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.072{DCBFC465-2DF1-6227-5E05-000000003702}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000034638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.262{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DF1-6227-0108-000000003602}700C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.240{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.240{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.240{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.240{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.240{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2DF1-6227-0108-000000003602}700C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.240{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DF1-6227-0108-000000003602}700C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.252{C64CDE3E-2DF1-6227-0108-000000003602}700C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispAppearancePage /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.225{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DF1-6227-0008-000000003602}5020C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.225{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.225{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.225{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.225{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.225{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2DF1-6227-0008-000000003602}5020C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.225{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DF1-6227-0008-000000003602}5020C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.230{C64CDE3E-2DF1-6227-0008-000000003602}5020C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.210{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DF1-6227-FF07-000000003602}6784C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.193{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.193{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.193{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.193{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.193{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2DF1-6227-FF07-000000003602}6784C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.193{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DF1-6227-FF07-000000003602}6784C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.203{C64CDE3E-2DF1-6227-FF07-000000003602}6784C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.193{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DF1-6227-FE07-000000003602}4512C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.178{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.178{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2DF1-6227-FE07-000000003602}4512C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.178{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.178{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.178{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.178{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DF1-6227-FE07-000000003602}4512C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:33.190{C64CDE3E-2DF1-6227-FE07-000000003602}4512C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoVisualStyleChoice /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 354300x800000000000000018160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:32.823{DCBFC465-1FE0-6227-1200-000000003702}968C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x800000000000000018159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:34.352{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B50D9C819448F460819DA27B89F54821,SHA256=7EE507A71BEE1F09DE9DB317A1B736A955D6FD048837E5B5DD72A326330DB850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:34.352{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F317E9D9776E541A0EEBCF6299688C84,SHA256=0914D66F9DC40AB7DE2C50483F75B53412C1460693EB1B81B2AEE89A95208421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:34.352{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D19A558263442935A1F0A9431E8574FB,SHA256=7CDE462D42C1E103EC252CD69965E5F561FB5E94EF4C0361CFC2819D8488A8F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:34.285{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B41B1F478BD2D6B38BFDE41198B39B,SHA256=ADE06CF000F54CBDA3A36809EAB7D4A1057E78D3B8D0186ECC87A73AD48C702C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:34.216{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A4A4731E09EAF7D54F41F56EA5130D5,SHA256=E63AF21FFB2A3DD443405540EE12C7A7E4B853C099A4815751D2068F83EF6D4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:33.354{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50394-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000018190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:32.838{DCBFC465-1FE0-6227-1600-000000003702}1176C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:98f0:2984:89cd:ffff-60458-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000018189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:32.838{DCBFC465-1FE0-6227-1600-000000003702}1176C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:3c27:d85a:1d6:6586win-host-tcontreras-attack-range-179.eu-central-1.compute.internal60458-trueff02:0:0:0:0:0:1:3-5355llmnr 10341000x800000000000000018188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.869{DCBFC465-2DF3-6227-6105-000000003702}33203324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.602{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2DF3-6227-6105-000000003702}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.602{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.602{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.602{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.602{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.602{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.602{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.602{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.602{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.602{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.602{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2DF3-6227-6105-000000003702}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.602{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2DF3-6227-6105-000000003702}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.603{DCBFC465-2DF3-6227-6105-000000003702}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.384{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03A38B4C2E4B9727102E16F8AB1EA3A,SHA256=057A7B90AC498D1FDA17BADAB473B2769C08D29EC22FB578127816EDB882EE80,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:31.655{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51068-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:35.300{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C497C5718EE8CCB80E5425A04B1DCF,SHA256=9245D1BD5F3EEA74998DF01FB839F4607F2B7D1A92BBE5442BC1B0D398DAC116,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.086{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2DF3-6227-6005-000000003702}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.086{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.086{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.086{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.086{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.086{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.086{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.086{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.086{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.086{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.086{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2DF3-6227-6005-000000003702}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.086{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2DF3-6227-6005-000000003702}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:35.087{DCBFC465-2DF3-6227-6005-000000003702}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000018222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:34.623{DCBFC465-1FE0-6227-1600-000000003702}1176C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal63687-false10.0.1.14-53domain 354300x800000000000000018221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:34.621{DCBFC465-1FE0-6227-1600-000000003702}1176C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:98f0:2984:89cd:ffff-63687-truea00:10e:0:0:0:0:0:0-53domain 23542300x800000000000000018220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.602{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD2162CAEB4E7728D06B21C5EE05CCC1,SHA256=3254B62584D21234A5BA7C7E1C057AC380F7F2AD8BB8A2E37D79D8EE4976547A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.602{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2DF4-6227-6305-000000003702}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.602{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.602{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.602{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.602{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.602{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.602{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.602{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.602{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.602{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.602{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2DF4-6227-6305-000000003702}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.602{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2DF4-6227-6305-000000003702}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.603{DCBFC465-2DF4-6227-6305-000000003702}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:36.315{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=374DFB885FEA035DBC58BA37B245E46E,SHA256=24C53C7DB16CAE232C5D2C16DB4376E2AB5B6BD129BC54537CCA7DDFF426696B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.336{DCBFC465-2DF4-6227-6205-000000003702}35201880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.118{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B50D9C819448F460819DA27B89F54821,SHA256=7EE507A71BEE1F09DE9DB317A1B736A955D6FD048837E5B5DD72A326330DB850,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.102{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2DF4-6227-6205-000000003702}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.102{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.102{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.102{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.102{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.102{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.102{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.102{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.102{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.102{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.102{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2DF4-6227-6205-000000003702}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.102{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2DF4-6227-6205-000000003702}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.103{DCBFC465-2DF4-6227-6205-000000003702}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:37.635{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4CED5921B83750515F8EDB0199379CF,SHA256=93D6A8EC6A11D04D44690251917ED3C7742CF2680897F4B66B42BC58493C7D17,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:34.201{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal63687- 23542300x800000000000000034653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:37.330{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D411E4E0FDE61F904A72A2B40EE04F,SHA256=C86CAF2190D2441D9F9814FBE772D126E8EEBE2F8095F687590C87918B7BDD09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:37.603{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DBF1BC3BC80BC92D0C809200504A51D,SHA256=221453C62D888E91F508156D95E3A76E664DCAB9E13053743FCBBDD400C48C2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:36.996{DCBFC465-2DF4-6227-6305-000000003702}30201036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:38.775{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A20BD238A6039541C622BEE3DC2D5E5F,SHA256=E70BA335FD011233BFD85A9B6B8C60305B0E49A2BF58584CB2351D2F73237CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:38.382{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\glean\db\data.safe.binMD5=FA9A6BAB17623EE6BB172EC9B6710F09,SHA256=3C890E2E376D56BEA3E40FF14C69E18DFE2C5D8CD78079C6D396924ECFA22443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:38.345{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7156366C52F7D676401FF5B29FB4C72,SHA256=89D822ECA4F148A55B21A00A726D3C0B48DBD400D5AC6D02C10A2684069C31FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:38.197{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2DF6-6227-6405-000000003702}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:38.197{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:38.197{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:38.197{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2DF6-6227-6405-000000003702}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:38.197{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:38.197{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:38.197{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:38.197{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:38.197{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:38.197{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:38.197{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:38.197{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2DF6-6227-6405-000000003702}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:38.201{DCBFC465-2DF6-6227-6405-000000003702}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:39.822{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D5997D6847C3D999E3AB23FE412FC16,SHA256=DEC780530861575DE7F856953BF92EFAC9675714B94090214C0FC5628A39C122,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:36.690{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51069-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:39.363{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AEF5424194E1DF0E9DCD0A7C69B3F9,SHA256=9855E7891C4B2D471F86DD46F387116E4D534221E48BE3EBA83C2FBCEAFE87F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:39.197{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD3B80CAA9D2F6C0432A7046CF508E7A,SHA256=CC32959977C331DC8B6985E3C345D4573AF73F4057D4BB0705F30D5F7FABEE40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:40.822{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171ECCA65C8E18651DFD52159D6D1268,SHA256=FD7ED6DA0DFC768EC71905229FCB0443A2CDD01641BA7A487EA925A0A20CEE54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.766{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DF8-6227-0708-000000003602}5580C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.766{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.766{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.766{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.766{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.766{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2DF8-6227-0708-000000003602}5580C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.766{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DF8-6227-0708-000000003602}5580C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.770{C64CDE3E-2DF8-6227-0708-000000003602}5580C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoColorChoice /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.744{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DF8-6227-0608-000000003602}6872C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.744{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.728{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.728{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.728{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.728{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2DF8-6227-0608-000000003602}6872C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.728{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DF8-6227-0608-000000003602}6872C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.741{C64CDE3E-2DF8-6227-0608-000000003602}6872C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispAppearancePage /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.713{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DF8-6227-0508-000000003602}5812C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.713{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2DF8-6227-0508-000000003602}5812C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.713{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.713{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.713{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.713{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.713{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DF8-6227-0508-000000003602}5812C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.723{C64CDE3E-2DF8-6227-0508-000000003602}5812C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.697{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DF8-6227-0408-000000003602}5880C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.682{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2DF8-6227-0408-000000003602}5880C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.682{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DF8-6227-0408-000000003602}5880C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.682{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.682{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.682{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.682{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.693{C64CDE3E-2DF8-6227-0408-000000003602}5880C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000034667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.666{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2DF8-6227-0308-000000003602}5688C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.666{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.666{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.666{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.666{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.666{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2DF8-6227-0308-000000003602}5688C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.666{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2DF8-6227-0308-000000003602}5688C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.674{C64CDE3E-2DF8-6227-0308-000000003602}5688C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoVisualStyleChoice /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000034659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:40.381{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E31653DFFE09039E5848CD09F20BF509,SHA256=D6FBF414BFFB7F181F931180BA897554B4D8835C66BDC6AE1956EBB43F551E18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:41.916{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04872AA8634A48FA1273F3A3EDC293DE,SHA256=548DA4917F4FA99940F0EEC762C4008E033F9112744E17540E9F1A7643824AAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:41.681{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF57D8C3E5CA5B9942EA508E96BE9839,SHA256=3ECE9906287D7B1083544FD7AB2B397E2AED1C2229055C3C9724E115AE8ABAF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:41.681{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD2540FCE36B27FD1AC3B8B5B46FBBDC,SHA256=5D6BC78126F0F0CE37F2836F7384352CD7B66FF03EB347E2ACF672CFFC61EB09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:41.512{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D1765012A970BC6CE382A72965B128,SHA256=0602E39FF7B30B7D7E18B095B681329BB4DDD8D93CB5FF83935402910ACBEC2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:38.356{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50395-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018245Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:42.916{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC81369877EA4B2C0FCD783E4C5C08E0,SHA256=4761B01AB1A2B2B8E080EB6517A6459E331F2CD7591DCCE82F3D13DBAADED100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:42.543{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F027E7679D545193CD6F245889C05C,SHA256=B84822569C7381DED233B201E906799DD4CF595EC5249B352B3FAF54EE0A842D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018246Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:43.916{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A291D185BD834371F2E2FE2ED1CEA7,SHA256=64A2FD0397A9AB874F6F1AFC1111B23D65F585564BF4DA1CE1D6F6894046D930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:43.912{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:43.543{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42EC2A972CC0D52D4180D688B3FB5C57,SHA256=278ECC68120C8017E521366DC19ED4409300315975E91C883ACF757994CC05BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018247Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:44.213{DCBFC465-204C-6227-9900-000000003702}3048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:41.720{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51070-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:44.544{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA5E55124D94833B45085611CA791CE1,SHA256=8915AED5DC5518B51055689C205CAA3CAC7F19852FCD13158EAD36A3B631DB77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018248Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:45.135{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C0935A53595071E613533C90B0485F9,SHA256=B7EEEAD8AA4E1557AE1C078883E284EC09178C2157F37398593AFD07F4F1E4C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:45.581{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC84B63503D5F43CD1462D4FF5EF5FA8,SHA256=C98758B516E126096B42F221E5A7557149D84405147E7F4EB11A3AAE3A834B51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:45.428{C64CDE3E-2013-6227-1602-000000003602}17405568C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:45.428{C64CDE3E-2013-6227-1602-000000003602}17405568C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:45.428{C64CDE3E-2013-6227-1602-000000003602}17405568C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:45.412{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:45.412{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:45.412{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:45.412{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:46.611{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2A6AFB49344A6891548CD30DFF9FFD1,SHA256=DB1E26682E240892217B0107F5234419634F5E627A5F2F7DD978A23131F89CF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018251Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:43.450{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50397-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000018250Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:43.450{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50396-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018249Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:46.244{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C7E0C6B5EC8E2C497658C2AE56A7D6,SHA256=0781695301252F761A2C6189ACF5259DA19E7000D90A53F6D49A90998C52D504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:47.641{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3217CE5AAA2351110E798A45883A8DF9,SHA256=FEB6A261B04B5C3C3327FB13CD468AFB1BFDD0DC30BD431ED65F1C79DAABB004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018252Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:47.246{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AC7958D6BB8157A95E7E0A8084D8D86,SHA256=4FF35709FB46312D67EAB72F1873B4BBC2590442C62A4BE5DFFE38B4FE358D91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018253Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:48.246{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94B661FAB20FCC24EBDE355122F10595,SHA256=1684444A9D6F38C790F30D86C858C710952161C4AB4D5CE85398987C289FAC11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:48.662{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F556FA25748E36CD570DFB002241A5BC,SHA256=1093668BAF92829AB22D5D8C81D084E3B3C34BB575E4CFD0B00395D050ED6C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018254Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:49.449{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4934B7F6BD2409D4508B4367E23740D9,SHA256=BA0272EB258284E0D659656E35BA1556181B3C94650E8814D371062BDA749D03,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:46.785{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51071-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:49.708{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E9FBB62FDB3BEEFC70E8B2857292649,SHA256=1723E350BEA9FF1E7FF1F5F4BCAB5E857F212F3AE4C1BE2CD7886F76E853EF95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018255Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:50.589{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F769CD0C7A225075CC243F1A20FABB,SHA256=9E2E77208EC924EF68DD31BEADD78B78DE2324E1D866231CFE7D93904AC07AB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:50.709{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BCA071F75B2F1C29009C6426C853092,SHA256=B38CB102932311B3F3BF1423A725ACF35B5F5BF4B4208CDC61ACEE109C7B7A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018256Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:51.824{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E99BCC16F94C26827515005B06BE732,SHA256=BD162F4CAB9E94706E461FE4F385A18789935DE8EA4748C688A4B751B5B6CFDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:51.714{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F509A82107B23E14F46796EF02BF26E,SHA256=48356C34F7E5074B2A78FE50C12FD960D126D829CCC5EF0BBB628E43B9915BD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018258Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:52.839{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E4F534083FD2A458E7DDFE76FDBE89,SHA256=4979DA04D8B44F582146EB9C1BC4BF2EF4BCA29555B9FD84D85EBABAA2EAD2E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:52.913{C64CDE3E-1CE6-6227-1000-000000003602}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2E35F4E0973DE73CC33FB0C9CA585076,SHA256=350BA7349309516197D231DC7A8A154756F5F0C2FE9BA00D84DB7E16158B2243,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:52.728{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8405DAC9D7C69EC620A020D9B45BC2D5,SHA256=10E8A484BD5CDE9D925AA73371CC5AFC58A4CF69D541C17196F0C5E908AF6DF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018257Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:49.467{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50398-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000034729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:52.513{C64CDE3E-2013-6227-1602-000000003602}17405568C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:52.513{C64CDE3E-2013-6227-1602-000000003602}17405568C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:52.513{C64CDE3E-2013-6227-1602-000000003602}17405568C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:52.513{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9207-000000003602}5660C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:52.513{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9207-000000003602}5660C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:52.513{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9207-000000003602}5660C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:52.513{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9207-000000003602}5660C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018259Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:53.839{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC6B591A9517C521E29D8BBBE3C98E5,SHA256=A6CC0FACD82EA916A12B0D8D79E3D8F37ADD40CD38916A02B55CDE53136E48DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:53.730{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5057F48E2CB1849C18495CB73CC050A,SHA256=C77DAA2EBCD513F52A2A1E776BD4AAB23287867439BCF54EF58D13D19ED12DEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018260Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:54.871{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC7945DB0BE9E9A1102A28ADC96E693,SHA256=DA98E94D8C96D1E3DEE3FD002DE6A2D8B2D7524B12DD0119648A5F467088B3CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:54.745{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=140337D56BFD46EEDD0DDAD1F2C4CC6C,SHA256=F88958F845895FA189333E07D91532D02FAB623DF644A66CEBDC22BF9703E0CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018261Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:55.902{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5A54F36281F897E210B7A0175DFAFB1,SHA256=B9D49DF3E6D770EA8E8F1CED5454C1ACDF35DC2793EFFF1AFA7916250EE19101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:55.763{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4164CF791C9698EBBD42D68C6C6D9C,SHA256=348A970CBE9195C2EE06CE94278D65239AF33E499D48D58AFC880E3098047B41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018262Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:56.902{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314CCD594ADB181E0A849E90A96E50A8,SHA256=FE9AF8E326566AB94720C410E39D4986DA3CB8304B65F51640980C0376BD8DA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:56.945{C64CDE3E-1CF7-6227-2B00-000000003602}2896NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:56.782{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C14941FB2D1F58E88D6F6884A451755,SHA256=91E5822D5F90AC6E0D9C95516F363709791D643656F4A6B6D1E8B71DAFB51651,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:52.774{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51072-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000034761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:55.504{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51073-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000034760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:57.797{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866357F3F9F552E5FB1D422C8F79F884,SHA256=F32F21FDCCCC97A47A0C8F8F487CC1973DC5AD6F823BE0986B9752441C5B87DA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:20:57.566{C64CDE3E-2E09-6227-0808-000000003602}4432C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=04596B4666E74A2242E4EBBD3CC5E0DA16F808A47E6C3C4CCE6C4BD2FE3DA95C 13241300x800000000000000034758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:20:57.566{C64CDE3E-2E09-6227-0808-000000003602}4432C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 13241300x800000000000000034757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:20:57.566{C64CDE3E-2E09-6227-0808-000000003602}4432C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x800000000000000034756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:20:57.566{C64CDE3E-2E09-6227-0808-000000003602}4432C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x800000000000000034755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:20:57.566{C64CDE3E-2E09-6227-0808-000000003602}4432C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 16341600x800000000000000034754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local2022-03-08 10:20:57.566C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=04596B4666E74A2242E4EBBD3CC5E0DA16F808A47E6C3C4CCE6C4BD2FE3DA95C 13241300x800000000000000034753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:20:57.566{C64CDE3E-2E09-6227-0808-000000003602}4432C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x800000000000000034752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:20:57.566{C64CDE3E-2E09-6227-0808-000000003602}4432C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x800000000000000034751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:20:57.566{C64CDE3E-2E09-6227-0808-000000003602}4432C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x800000000000000034750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:20:57.566{C64CDE3E-2E09-6227-0808-000000003602}4432C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x800000000000000034749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:20:57.566{C64CDE3E-2E09-6227-0808-000000003602}4432C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x800000000000000034748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:20:57.566{C64CDE3E-2E09-6227-0808-000000003602}4432C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x800000000000000034747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:20:57.566{C64CDE3E-2E09-6227-0808-000000003602}4432C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x800000000000000034746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:57.566{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-2E09-6227-0808-000000003602}4432C:\Program Files\ansible\sysmon\Sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:57.482{C64CDE3E-2D33-6227-9207-000000003602}56606028C:\Windows\system32\conhost.exe{C64CDE3E-2E09-6227-0808-000000003602}4432C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:57.482{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:57.482{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:57.482{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:57.482{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:57.482{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2E09-6227-0808-000000003602}4432C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:57.482{C64CDE3E-2D33-6227-9107-000000003602}52841416C:\Windows\system32\cmd.exe{C64CDE3E-2E09-6227-0808-000000003602}4432C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:57.490{C64CDE3E-2E09-6227-0808-000000003602}4432C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000034765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:58.811{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D05FCEEFFB4C00AB3498A98BA03006D,SHA256=EE74C0F0FEE39A2AD6C28F42E1D197F50635A3A5E6EEF92A4183746899F547CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018264Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:55.373{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50399-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018263Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:58.074{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C23F481EA6ECDBEE15901CB7A781497,SHA256=F486D71F2A991FB2EB1717FAAE3ED8AA81B0721B564600D8870AF168DB282438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:58.799{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\respondent-20220308090810-070MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:58.497{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BCB01325CAF894D286C0F4FCF3AE044,SHA256=7164E4D65ADE48C93980F8D476E5CCB65E61944EBBED1728E9790FC6B2F78BB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:58.497{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF57D8C3E5CA5B9942EA508E96BE9839,SHA256=3ECE9906287D7B1083544FD7AB2B397E2AED1C2229055C3C9724E115AE8ABAF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:59.896{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:59.896{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:59.896{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:59.896{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:59.896{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:59.896{C64CDE3E-2D33-6227-9107-000000003602}52841416C:\Windows\system32\cmd.exe{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:59.901{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe10.0.14393.953 (rs1_release_inmarket.170303-1614)Registry EditorMicrosoft® Windows® Operating SystemMicrosoft CorporationREGEDIT.EXEregeditC:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000034767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:59.814{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E213122544CFFCC8131A8B0D022C78,SHA256=5DFD0E2F43EB6118711F47802A77B9C0411F2B779C7360D4314707BCE05CBECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:59.813{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\surveyor-20220308090808-071MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018265Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:20:59.089{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2DAE90A76A22622BB3A435491C79B0,SHA256=70F55AB3A265115612543593420BCD0A69D0ED3A9361F6643E480A94D134D365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:00.902{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BCB01325CAF894D286C0F4FCF3AE044,SHA256=7164E4D65ADE48C93980F8D476E5CCB65E61944EBBED1728E9790FC6B2F78BB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:00.833{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B5375762034FB003526E6B41143EFC,SHA256=6ACFEB8726130445F207B012EBCF315182F36213C0F8FA428455A9A3D4F073EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018266Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:00.199{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF3DFB90416C7BCE00B409DD20D442CA,SHA256=639B2A2D2140DE57DE488D3FFE4923C26BE7FEDE90AC6A6EB848B63F2DCDEFC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:00.570{C64CDE3E-2013-6227-1602-000000003602}17405568C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:00.570{C64CDE3E-2013-6227-1602-000000003602}17405568C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:00.570{C64CDE3E-2013-6227-1602-000000003602}17405568C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:00.566{C64CDE3E-2011-6227-0B02-000000003602}6005036C:\Windows\system32\taskhostw.exe{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:00.546{C64CDE3E-2011-6227-0B02-000000003602}6005036C:\Windows\system32\taskhostw.exe{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:00.531{C64CDE3E-2013-6227-1602-000000003602}17405708C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:00.531{C64CDE3E-2013-6227-1602-000000003602}17405708C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:00.531{C64CDE3E-2013-6227-1602-000000003602}17405708C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:00.515{C64CDE3E-2013-6227-1602-000000003602}17405708C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:00.515{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:00.515{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:00.515{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:00.515{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:00.428{C64CDE3E-1CE6-6227-1600-000000003602}12962116C:\Windows\system32\svchost.exe{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:00.428{C64CDE3E-1CE6-6227-1600-000000003602}12961336C:\Windows\system32\svchost.exe{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:01.848{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E836D5C6E25DC5FD8BD0B96ADCC1FFB,SHA256=BCE236ECD65035554374C91C8B04A1BDAB5ECF17FAA481E8E87AC592F0ADEBE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018267Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:01.230{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2BED6003EF67DA2746388071EFC107,SHA256=ADC64F3D024C2ED180CDA5A588BE1A09B21F2BBA0DE85330E017236EB59FE502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:02.866{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5936A95CC1B73DFC247B18C0DEE03C7,SHA256=1339669A13A6621FA93453957FC4548908CDF584EAD112A38EAF05EC188FBBE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018268Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:02.230{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=784308F0FB9A6237975EF3A35D48072D,SHA256=228DCA85A9EB52C9D56A975F30008BEC67889341A6C0FAB4F772B37C299DAAC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:20:58.671{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51074-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:03.884{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED103C5CEC3F9EF491980F40879E1B29,SHA256=008032EA1BF19BEF6E0DF54C247A206F2A45515B767978A28DD04A3E0D088A93,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018270Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:01.357{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50400-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018269Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:03.246{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684C5A329475C0A54F3D01612B7465D9,SHA256=96D7E52BB66D12D0A648F9EE78CDEFC7200FDC748CA56675AAC2D2DE98EBCBF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:03.132{C64CDE3E-2013-6227-1602-000000003602}17405568C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:03.132{C64CDE3E-2013-6227-1602-000000003602}17405568C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:03.132{C64CDE3E-2013-6227-1602-000000003602}17405568C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:03.116{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:03.116{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:03.116{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:03.116{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:04.900{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61CE392E6ECB1FDCC87A66685EC8E2C,SHA256=1406387B9558F8DB3F3C70FA5EE90BCDC5EAB49C28D279C707E34708B1E6701A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018271Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:04.386{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FAF2E78E846ABBA95B2441A6D18717C,SHA256=F2C33D792A4FC9FD0CDDA7B885B3BCDF287230E45D331A90F74E8B6F18D4F510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:05.915{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5446DE4ED5A80B8BEC95D1A5865F84D9,SHA256=26E9967BD80DB8F4638BB6E94BF118304CF88F54F4617B50B16B915E7B2BA1A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018272Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:05.527{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3757BA25861A6024FE5C6971763B80F,SHA256=9AFD05D7DE4F1BE79DCFD3C962269A126573E3F55DAE2FE202ADE3A8B5A50A0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:06.942{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7841FED2B026FFE3A533D01FF9294D0,SHA256=599B08CA307A959F674C4689D5A0174FE25AFDECFB2A7546E754962301AC1053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018274Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:06.763{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B6FA5692A7385F3BA8EBA9888353E74,SHA256=68216228EA69C4AC45B6DD3993DDAA83A5325D062542C12895A17E6311344CA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018273Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:06.154{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\respondent-20220308092036-058MD5=AD989BA5FC8211C68DEB145594DF29B5,SHA256=A92C9E9F939B5FA1DAF2D9D45D4066E44A16133766F98754DF452EC8E38921ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018276Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:07.794{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CF44B2A6E053310951542B3502F31C8,SHA256=FE1229C8A3C1A70756A750D26F5F7E8129EB0C446E75180B52DD1BA381810EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:07.966{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5615047AA7C0CCD20C4DE24434762740,SHA256=D6D0018E56F39B4B0019A642BCA20CBCCBD463CFD1B5218E05364626112A1482,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:03.690{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51075-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000034812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:07.168{C64CDE3E-2013-6227-1602-000000003602}17405568C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:07.168{C64CDE3E-2013-6227-1602-000000003602}17405568C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:07.168{C64CDE3E-2013-6227-1602-000000003602}17405568C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:07.168{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:07.168{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:07.168{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:07.168{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018275Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:07.154{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\surveyor-20220308092033-059MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018277Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:08.841{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65F65DAD7E31679A5F5A1397D2C2A08F,SHA256=4FAFC2F33CE86360E4A4BACDAC84CD298F8B91CDC14486AA640579578781900A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:08.984{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5074CEDFF4913E18136418BFCF92FC1C,SHA256=0283F61E144A994891F6DF7D170844DDBE34929DCDE0C613887F99A0B74D6DF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018279Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:09.872{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBDF143736070CEFDA82F2269D1410B9,SHA256=0819E48C1895B98B738D1ED4A40DBB0FE7DC6974FA004083406CD26BA8675015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:09.984{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA8F226F09F4BA8EF2A586D5A8EC1708,SHA256=556D7CEBB7139ED062B9F139D85D12E0DCA7FF14B87B1922948496B0EC700F88,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018278Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:07.296{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50401-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018280Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:11.122{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A83A97FB7B3B61C99A50EEC16A486A4,SHA256=F1BCD338E1A7F4C7CEA71F2D8625C7B11479294AC47748249C1DCE0328B0682A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:11.015{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=794E9E55D9EB71B66E750AB3F8517A2B,SHA256=06D749B2B69DF7A47393CDF0473154341DACBC99DA2DC7C7797D4EED313CAEB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018281Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:12.310{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A91F41A3EDB9964C743074FA04B34D6,SHA256=8B91F0D806047A85160FBEDDF1DB1E6297A3AB66E8280887294D1872067D58BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:09.720{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51076-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:12.445{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\glean\db\data.safe.binMD5=2CD98737A2AAC26081BBADC9A29BF0E1,SHA256=BC5042B055DCE51F597A932E3CC0AC025070C87747652C1520F31FC390CE9F48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:12.030{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6747FD1217A53C672D3D50DEFDA06B4A,SHA256=07FF19F8263DE7933F167039EC2F6611B318D8C952045B7D570E2F46BF496D9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018282Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:13.310{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC8D6A509FF26E533F174ADB085FA740,SHA256=B195722EF90752D3383B57B1E9F7C8B192DDEE0876E08A090B313D66EE472B29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:13.045{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556EC12E3765D2CFBDB143AF545CC4FC,SHA256=8AA2295DA70F55E69CBA02C88049C2A04A125DD0E2AA6CD3B7319CBE68F634FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018284Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:12.328{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50402-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018283Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:14.544{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB885531FF78BC569AFF5248BBE5ADBD,SHA256=6FD60501B1CC536AF7BFC1D528B5657E7BE60428ABBD288E43EB5CDD24284A06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:14.064{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF7957EC018E5586596B1A0C10990837,SHA256=98C75809FE8E22E48619F904CAAACF3FCC46050472CE784028AC017225009A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018285Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:15.576{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE85653823DF0B0EE7672E7F237272AB,SHA256=F6AD832CF82102694F39C407FAE523DBDC7605AF530430485CBE34C51DB4D637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:15.099{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2776AA792CE13EED63EA8B0D81ECE5,SHA256=A8216C33DCA10B86FA9A1AF00AC287CA1C909EC4C63D255A32BCF07ADD19560B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018286Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:16.685{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3FE1D79ABB5A0E623A9A489702D52C,SHA256=4CC5938C82906D9C91BE12CB0C6063858C484FADDBD5A9575D227FB3F41BA0D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:16.114{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A78ADD77CEBC511F2E525921BC6709,SHA256=53271014749BB8CD764E5EDFD78E88D58BE2CCC3EF03E13D3BCD5F40A4EB4F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018287Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:17.857{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA00A937B0E232A939ABAC83B7E4BF4,SHA256=AA85EFD67BB1320BC5FB0466E0011B168F5E395B661C4ED6E75AC1AEF8C5CF70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:17.114{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=823F0DCA83B92344849BFF5D0944824D,SHA256=6C1EE9B056F94B3547D25D6BD2DA144520CF0EF6FC3A4F4B686352BAB2A94090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018288Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:18.904{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0954BAAF17625425A518FE17996FDB72,SHA256=F3B47CBD7844323862B88472CB83B33D9A251E2CF1362D1E4F9C904CD7F58ED0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:14.772{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51077-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:18.129{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F64F8C8F324304FB77FA0F4BDA13FEF,SHA256=7CAC1710C04DB58A3467CCCED75B5C72AC3FE14B59F16A6AC264348B07442885,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000034838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:21:19.490{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000034837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:21:19.490{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00435955) 13241300x800000000000000034836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:21:19.490{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d832cd-0xde5d5b9a) 13241300x800000000000000034835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:21:19.490{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d832d6-0x4021c39a) 13241300x800000000000000034834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:21:19.490{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d832de-0xa1e62b9a) 13241300x800000000000000034833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:21:19.490{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000034832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:21:19.490{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00435955) 13241300x800000000000000034831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:21:19.490{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d832cd-0xde5d5b9a) 13241300x800000000000000034830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:21:19.490{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d832d6-0x4021c39a) 13241300x800000000000000034829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:21:19.490{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d832de-0xa1e62b9a) 23542300x800000000000000034828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:19.131{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=822047D094F2397495758B3527160894,SHA256=49721978FF1F55A3875A1CD64DF3C22014757F7D45AB8E3C74CF4A19E161DAC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:20.404{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2E20-6227-0A08-000000003602}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:20.404{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:20.404{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:20.404{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:20.404{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:20.404{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2E20-6227-0A08-000000003602}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:20.404{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2E20-6227-0A08-000000003602}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:20.405{C64CDE3E-2E20-6227-0A08-000000003602}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:20.151{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CCDD068CB8D68E17D74AAD6F4EC1924,SHA256=268C3B9E6C1CA1694D3F862AAB3EE84FA6A99C70E2874E7A2B03BF44DA713A28,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018290Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:17.390{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50403-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018289Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:19.997{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78D2583CD8967CE4FF8FF7DEC272ECF5,SHA256=E355DBE72BC04DE2B3BDF3DC45BD82109DA04ECBA225196ACE541B2F383B72C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:21.450{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F833C3A513BD035283DCB5415C241FC0,SHA256=8AF2685B5AB335FAF71F4F91D234EF1155F6C1A3DAFA8FFE129B2115657CC56D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:21.450{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84B52F258BFC47BD55589CF2709A3036,SHA256=076E46EF36DF590BC731C70141E4EC81DC23AAF43F733AE2E06CA2D518770456,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:21.319{C64CDE3E-2E21-6227-0B08-000000003602}47126416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:21.188{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBCC4F572B475BDD51A7BAE15B0B887,SHA256=B166DE6B515DF58368AD3AC29ED237B79FDBDF8FFCCC74D0D2FDC05BC7E4FD5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018291Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:20.998{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C92E0AED96D6867FC08E82A0B105D8E,SHA256=89B136BD47AEA080CC25EBA19CBB188AF518B11E73A0643C4B5FBA674267C8C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:21.071{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2E21-6227-0B08-000000003602}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:21.069{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:21.069{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:21.069{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:21.069{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:21.068{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2E21-6227-0B08-000000003602}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:21.068{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2E21-6227-0B08-000000003602}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:21.067{C64CDE3E-2E21-6227-0B08-000000003602}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018292Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:22.091{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210D366F5E58419DEB3970432C122F47,SHA256=90CBCFC1E477FAA8D5E5BA9A7F48CF8F4B48DDF9A10F9B8FEE4729A6B3F8FB7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:22.651{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2E22-6227-0C08-000000003602}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:22.651{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:22.651{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:22.651{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:22.651{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:22.651{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2E22-6227-0C08-000000003602}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:22.651{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2E22-6227-0C08-000000003602}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:22.652{C64CDE3E-2E22-6227-0C08-000000003602}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:22.250{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8508DD4915FB531C3526ED17BA6239D,SHA256=4EB28DAF2AB483463B1CB15D2C4768EE300EA3D3FF494AE8ADAB87C4F971B506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018293Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:23.153{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4809800A060599DF4B541C78D70215FB,SHA256=3E102586EC2E466E3EB54320FD42917B86AC54C5903F1E5F46F2AF6FC7D438B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:23.916{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-1CE6-6227-1600-000000003602}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:23.911{C64CDE3E-1CE4-6227-0B00-000000003602}612660C:\Windows\system32\lsass.exe{C64CDE3E-1CE6-6227-1600-000000003602}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:23.711{C64CDE3E-2E23-6227-0D08-000000003602}56684032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:23.694{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F833C3A513BD035283DCB5415C241FC0,SHA256=8AF2685B5AB335FAF71F4F91D234EF1155F6C1A3DAFA8FFE129B2115657CC56D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:20.624{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51078-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000034879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:23.532{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2E23-6227-0D08-000000003602}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:23.532{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:23.532{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:23.532{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:23.532{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:23.532{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2E23-6227-0D08-000000003602}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:23.532{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2E23-6227-0D08-000000003602}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:23.533{C64CDE3E-2E23-6227-0D08-000000003602}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:23.414{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7F69670526308AC409D597E38454E36B,SHA256=367E69796B910D54F38BC079BEAF11CE1AD259013799920674EADD2BBAF232B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:23.412{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9C644D200E93EE1E01CA2103FFD61A66,SHA256=1068ED9338145D175602B9BF89D549944D0B5AE023D3A14F56280EE8500EB109,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:23.263{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E007B8AB764D8110D6BC35DF2688606,SHA256=E5E9FC2B1546DF63ED68A9E9E969E76DF3FC8C44E0CDF56F650E1E30A9F42E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018294Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:24.169{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA35755E09D8783A29CB9BFAFC4FBF5B,SHA256=936D66415EBC5B4E1B6FBDC8E9083E08600CD62CF9572EE86284F7A2A13ABDF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:24.946{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DBE65D13EA6CDE5EB71EF6667D04527,SHA256=2EEFF1A049293CA3A270C751C5227BD5B533A14C3F201521DEC58EBE94E87304,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:21.768{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51079-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000034887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:21.768{C64CDE3E-1CF7-6227-2800-000000003602}2856C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51079-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 23542300x800000000000000034886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:24.294{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEFCC486726220435023D343BD239432,SHA256=F8A9579CB8DF65DC1128EFC83B67DC162AF6A45860F22C2DEFC87E26A19C6EEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:24.032{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-1CE1-6227-0100-000000003602}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 354300x800000000000000018296Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:22.406{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50404-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018295Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:25.185{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45269F1255410AC0A8F83C89839AE9E4,SHA256=0DD02ABC17837E2B9FD16919E7809FA2B087A6AA61CA1AE2FCACAC1F48189D15,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:22.608{C64CDE3E-1CE1-6227-0100-000000003602}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local51082-truefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local445microsoft-ds 354300x800000000000000034895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:22.608{C64CDE3E-1CE1-6227-0100-000000003602}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local51082-truefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local445microsoft-ds 354300x800000000000000034894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:22.496{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51081-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000034893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:22.496{C64CDE3E-1CE6-6227-1600-000000003602}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51081-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000034892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:22.487{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local51080-truefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000034891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:22.487{C64CDE3E-1CE6-6227-1600-000000003602}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local51080-truefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local389ldap 23542300x800000000000000034890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:25.313{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1655BAA7966F1823B98AF5295653461C,SHA256=CBDBAF7BC186C1CF1058C7F341861F2C0CB24D70714B4F94FEFD10542BDAF3E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018297Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:26.294{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA00E199264B6DF8A9FDB60B0DF407D,SHA256=CDF3AF22FD06F5F0E6710BD3DD52BCAFA880BE038F02835A7F0A858E493B492B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:26.995{C64CDE3E-2E26-6227-0F08-000000003602}44363912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:26.679{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2E26-6227-0F08-000000003602}4436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:26.679{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:26.679{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:26.679{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:26.679{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:26.679{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2E26-6227-0F08-000000003602}4436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:26.679{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2E26-6227-0F08-000000003602}4436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:26.680{C64CDE3E-2E26-6227-0F08-000000003602}4436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000034906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:26.446{C64CDE3E-2E26-6227-0E08-000000003602}57366048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:26.330{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2E69456511C14C4A55B3838970A102C,SHA256=A99F2F1147A54E658821647BCD9994500E9190117384ABDE74C73B654EFBB02F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:26.177{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2E26-6227-0E08-000000003602}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:26.177{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:26.177{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:26.177{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:26.177{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:26.177{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2E26-6227-0E08-000000003602}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:26.177{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2E26-6227-0E08-000000003602}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:26.178{C64CDE3E-2E26-6227-0E08-000000003602}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018298Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:27.533{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE657A062CF39BEADB1CC9F4FE901CA9,SHA256=913266CD959EB4E297C7C2194E0190C98B45D9EBDE80A50F5D683CBC41FC304F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:27.515{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\glean\db\data.safe.binMD5=1CC9C098A81C4226464E4EB2C94E6295,SHA256=F2BA6E6098CA5A26B9BEDB429B6360151922CEDAA10810752F55697F6BE02BD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:27.332{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4671741CB10140133DCBC9D49D2CDC89,SHA256=9BAC840428FA1BE7B5AC40A9269D33B00D505C2C1DD2F8B3A84C160ED439BB97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:27.315{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2E27-6227-1008-000000003602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:27.313{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:27.313{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:27.313{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:27.313{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:27.312{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2E27-6227-1008-000000003602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:27.312{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2E27-6227-1008-000000003602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:27.311{C64CDE3E-2E27-6227-1008-000000003602}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:27.195{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0B91B85EE98EEF0D464AFA9E1E08907,SHA256=B4433C2604CBFA6120D075879D03A3BDFC80B6420FEDCAA22DE33DCC83870D52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018299Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:28.705{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E0DE7206C98EA6DA7676F50F4C9F3E,SHA256=637592E342331004649F487685541FAA767A1A106D82E35DF4DE5511101CFCA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:28.363{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA424310C708A50BA2EAD9DC6467CE97,SHA256=E53D5F59EE1C177C94DB67C762E3A3A5A810574BCA083E6B9F56DC7820D23F21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:28.332{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F00D13AA2E1C8998216ACE4A8D54D3D,SHA256=A6FFF17443E34FCCFCDDD8126E106D19A483FC198DD47F3C9F9B772861072ED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018300Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:29.752{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE11C597EA568D5D1F68BAEA25458B15,SHA256=B675057F90C20A9FBCBEE31B0C1EC140681956CA840723E6D3E59546123FFE23,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:25.636{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51083-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:29.363{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5EC598238DC116FB84A134EB9C922B,SHA256=628216CF2B88144A1A62A1748A760007FF79160A808B40E1A777ED92E63B1459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018301Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:30.767{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A1C7A54E245CBE49E95CF9A7FD6116,SHA256=42EE1733C6AC93F429BE6946D56023ABD5AC6D46BBF755E94DF7B42391D4084D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:30.393{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6FBBFE637577055805D70D88CDFD890,SHA256=F78433585307F4504B571734C18AA0EA619B08FA29351D73551DCA8B44ED4A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018303Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:31.830{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2BB58FD0A9A4BFA1D7D551596973D67,SHA256=EE8CA265183CA1E9FF66931E80D0C9F6C9B840D21556F658635722D4E1D1D2DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:31.930{C64CDE3E-1CE6-6227-0D00-000000003602}8841404C:\Windows\system32\svchost.exe{C64CDE3E-2C62-6227-7307-000000003602}3648C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:31.431{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3974F464A49C54A7BBF449F702B722BF,SHA256=4894953517BBD262259FEF405ACEF43BB76200781B0700F4381A4924B37AC966,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018302Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:28.410{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50405-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018304Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:32.986{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B40C228B20FDA537F05221386B845A,SHA256=DB3032AB881FFFB1D1E3BBC48EBA73856D704A357083157150A21EBC0C91A720,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:32.446{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D45E9EEE0C874F42F7536CD36114B396,SHA256=1E6A162B77841A1539353050E0BE276DEB67A51F35C3E96B79DC709DEC5055F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:33.460{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9DA3F9026A078DE39F6EBC31F86F5F,SHA256=A0543BE8B778A073219E5FACE36746AB33DEE8D3ABF7E41F94EBE58E84CCE5C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018332Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.736{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2E2D-6227-6605-000000003702}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018331Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.736{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018330Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.736{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018329Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.736{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018328Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.736{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018327Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.736{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018326Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.736{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018325Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.736{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018324Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.736{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018323Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.736{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018322Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.736{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2E2D-6227-6605-000000003702}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018321Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.736{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2E2D-6227-6605-000000003702}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018320Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.737{DCBFC465-2E2D-6227-6605-000000003702}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018319Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.548{DCBFC465-1FE0-6227-1200-000000003702}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=38484184D55B52BA1C5954987CC02742,SHA256=B287E0301946D7FB8BBF506F876F124CBA17B77751386A20B6CC6B4C1D7AEF9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018318Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.345{DCBFC465-2E2D-6227-6505-000000003702}37643948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018317Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.064{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2E2D-6227-6505-000000003702}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018316Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.064{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018315Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.064{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018314Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.064{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018313Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.064{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018312Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.064{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018311Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.064{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018310Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.064{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018309Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.064{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018308Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.064{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2E2D-6227-6505-000000003702}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018307Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.064{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018306Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.064{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2E2D-6227-6505-000000003702}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018305Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.065{DCBFC465-2E2D-6227-6505-000000003702}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:34.475{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81472E0728C500882740066D752CCC1A,SHA256=6810140737C5F86F7B2BDD11F0B4AA1321E3912E10D9F957EF1B7C44E939775F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018335Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:34.283{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=264FA1407B8FAE65C298C5363543F68D,SHA256=BBB5D86A20653BB75C004108ED184582D2C5A2D987CC34D9BE0E528351FEFBB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018334Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:34.283{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=365C593B9AA17049B14B963B50DDE629,SHA256=E90355D210697DEE18920F114B566E52DA78D59A1D1DC8044147B87FAD7DFAFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018333Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:34.283{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFF30EC75CA804EFB7B6E5E4EA48C872,SHA256=619210F6286A43685FAC5AF4F7C545D22FED41E5D397AA60DC4C552681C7B6FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:35.790{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F1F5F415D11D215353B6B4BBD16D665,SHA256=2A9EBF20A661B32DF3FC8BAA2294C6AF1ED7A59C8C21378E7092F74089E2CF0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:35.790{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BAAD88A70F98A886A2FCB7C1B927701,SHA256=71B7DED2EFFDE6936BC171E95ACB458B0A8483AC802F40E69CCB6BD1DB539ED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:35.490{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61153BEE99397AFB55B9A9710597DF65,SHA256=A8563294B439678B89F2ED1312CCAFAC660EE09814A60F08EA19B36C8E6E5EF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018365Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:33.410{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50406-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000018364Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.861{DCBFC465-2E2F-6227-6805-000000003702}5722776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018363Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.580{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018362Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.580{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018361Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.580{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018360Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.580{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018359Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.580{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2E2F-6227-6805-000000003702}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018358Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.580{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018357Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.580{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018356Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.580{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018355Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.580{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018354Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.580{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018353Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.580{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2E2F-6227-6805-000000003702}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018352Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.580{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2E2F-6227-6805-000000003702}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018351Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.581{DCBFC465-2E2F-6227-6805-000000003702}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018350Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.299{DCBFC465-2E2F-6227-6705-000000003702}5843748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018349Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.299{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C881E67B6301E3E73B95E9FF12B977,SHA256=D7DE5387DC379044CDCC64CC166DF8575F4857DFC6AF610231247E840C3B9828,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:31.664{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51084-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000018348Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.080{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2E2F-6227-6705-000000003702}584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018347Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.080{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018346Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.080{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018345Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.080{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018344Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.080{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018343Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.080{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018342Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.080{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018341Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.080{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018340Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.080{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018339Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.080{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2E2F-6227-6705-000000003702}584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018338Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.080{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018337Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.080{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2E2F-6227-6705-000000003702}584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018336Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:35.081{DCBFC465-2E2F-6227-6705-000000003702}584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018394Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.814{DCBFC465-2E30-6227-6A05-000000003702}18721192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018393Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.580{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2E30-6227-6A05-000000003702}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018392Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.580{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018391Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.580{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018390Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.580{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018389Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.580{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018388Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.580{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018387Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.580{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018386Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.580{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018385Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.580{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018384Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.580{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018383Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.580{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2E30-6227-6A05-000000003702}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018382Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.580{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2E30-6227-6A05-000000003702}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018381Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.583{DCBFC465-2E30-6227-6A05-000000003702}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018380Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.580{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0253CAD14A4CB5D63B5B83F345C14710,SHA256=E001F9BD2ACA10C71F8B5801DADCA4EB8D9E199E8267D95AB9584FFFC231E1D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:36.527{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=069D8A8E09971327DF353F1CF961CF32,SHA256=F0F206856ACDAAB930A9658C5BA3744A5AA1B5B7BEBA4D454FE8272F808FB36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018379Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.127{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=264FA1407B8FAE65C298C5363543F68D,SHA256=BBB5D86A20653BB75C004108ED184582D2C5A2D987CC34D9BE0E528351FEFBB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018378Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.080{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2E30-6227-6905-000000003702}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018377Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.080{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018376Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.080{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018375Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.080{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018374Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.080{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018373Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.080{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018372Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.080{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018371Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.080{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018370Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.080{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018369Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.080{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018368Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.080{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2E30-6227-6905-000000003702}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018367Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.080{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2E30-6227-6905-000000003702}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018366Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:36.088{DCBFC465-2E30-6227-6905-000000003702}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018396Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:37.689{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC284AD9E2A5C393052104821DD6490,SHA256=FA214ADE820B2F6452642217E46741E057D15E825298AB4390A83E81D2B78DA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018395Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:37.689{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C2FBD64DB2B290EAD57BEFE3A2C80E4,SHA256=461096990E8CE78434BEFA8D31369777012101168B8CDB1666B8A1CA238EF45D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:37.543{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1BEDE2A1B4035C82B370B29FC9D46C8,SHA256=15B9A802914F18A1A1E2F6CFC46F2058197CDA94896D1923DC7A78E10A597F16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018410Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:38.767{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935233E54D247CF7C2003AF0751D07A4,SHA256=91902DF1197B758E1500E15A1A0AE480BB4F9FABCA4AA2E0FA9AFF8C714E9D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:38.573{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D1E58F9D430925E12EEFB4A41292B80,SHA256=B37F4874593815CAEED56C3A53FC5C49F353A548917131814573C79947827E4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018409Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:38.205{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2E32-6227-6B05-000000003702}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018408Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:38.205{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018407Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:38.205{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018406Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:38.205{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018405Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:38.205{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018404Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:38.205{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018403Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:38.205{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018402Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:38.205{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018401Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:38.205{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018400Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:38.205{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018399Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:38.205{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2E32-6227-6B05-000000003702}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018398Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:38.205{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2E32-6227-6B05-000000003702}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018397Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:38.206{DCBFC465-2E32-6227-6B05-000000003702}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018412Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:39.970{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=276666C302563E10642A90752DEE71ED,SHA256=DF5024C57D351291A383B2611D4F18A76628B4B06ECB182CF8F7ABE712129076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:39.588{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA0457EDFB49BA4603DFED6AD36BC6B,SHA256=805D6C8670E88371CE4381500C75FCB1B7328200FC9B817B77DA3F2B9CF5333E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018411Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:39.236{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29F8EE0893AAEA6A0ACBB874A0128777,SHA256=9B0792DE2E4359F0031E0C951132216168643A057386F83FA9904F93957E1234,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:37.629{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51085-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:40.589{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=975C918224308A47DE58B2841CF72628,SHA256=E52AA344833F0CD23E31CFA8F03B701E5E94E6D02A309A139D92680CA1F61193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:41.607{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A58B686C72C7D549620C7D9304A35E,SHA256=7D91FFE1832264749C9EFB6A85D2359F99F925E7B49A970A07B9556221A99079,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018414Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:38.441{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50407-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018413Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:41.002{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C05890C7B520F6CDDBD175D34D0CE7,SHA256=F6CC2208AFC7FC981D6AA483AD1A4B5F39B38FC65381F460F4DBF7F65F404DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018415Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:42.236{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71CBC2A5756A8E026A0738E7E14B421,SHA256=3EF17489C16B98B934AD18C47EB8A2314A292405BB5736EFCD72CD962745C264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:42.625{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44FF8BF325AE288FD827136D0D94EE1B,SHA256=477FBE0FB8D4F6A7E6B08C7C4BE77A09AAE33767668FECEEAE31671ABF91135F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:42.126{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:42.126{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:42.126{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:42.110{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:42.110{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:42.110{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:42.110{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018416Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:43.299{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD659BCEDA2B4487D5A2E078C733CF2E,SHA256=80C9E155747630DBAA8C975C9DC1635B939D3597A432886C42BCB37A55F7E190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:43.656{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F131ADA4A8B22185169125774B7262EC,SHA256=EBA72C0AF4B926884FE62796562B12230EE8026EF9E20B970A105C0805B7A156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018418Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:44.346{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9BDBE8216E3F6FC9A6F9CA27BBC30F,SHA256=4826C99EEAAAC1D5AC2EB65DD449290CF86073D5D5BD6DA27EA37E88E195D9F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:44.661{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6323A57D0AC6D3346CDDA3A7BBA833C7,SHA256=9293A7C0D0A3C6260D986333F4B8282E1678A759B579EBA2BA88EF1B7BADF5FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018417Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:44.236{DCBFC465-204C-6227-9900-000000003702}3048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:45.661{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A329388592872BC692812F63A1F73EC9,SHA256=996963ADE0E83D9C5DD089192C61FBF0AA59D245D8A1AF3BCD7A51CD362546D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018419Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:45.361{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE558954BE545B8964D4666E90412DC,SHA256=59AF58DED527F98052C93E02748051D912F7733195F63D5F1C44433B65E9619A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018421Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:46.361{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A8098672976B651E54A0DFF6B38A70,SHA256=598217714C3EB7F0D212EEED9F632DBD4F33824DB3EAD1B17730FC8DDA7C436D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:46.692{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D023C764F3D3478236FE88AE0416D02,SHA256=61E4390002059450819938D744C5323E852C6DB2BA7BEB88FCEF3CFE566BD450,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:42.715{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51086-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000018420Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:43.474{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50408-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000018423Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:47.365{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61D1AD5CC547E8AB22FA117C98CEC9B,SHA256=4795014F38E5C0E3F711775221CFDDB64339DD3B498D0C1524FADCC13EE45ACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:47.729{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A08EC165886C0B51DDC64A9BF398ADA2,SHA256=EE357CE2464277A5E255A2B837D5B899689ACC3D5FB5FAA9F16A96A4B1619F73,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018422Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:44.364{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50409-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018424Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:48.412{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4158A58415C1D23FA2918D04F55139EF,SHA256=656DB1C536B73542927BF56A41F7EC89C8951A6DE0D928FD6359E691A961524E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:48.761{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B1207BECF58974068861D70FF7175B,SHA256=F8A649CABE72BDE81B70A056FE0709B0E2F058BA86817B5EEE78FE13DF4A0B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018425Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:49.459{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2881A0A9728867651F61C3CA6E5513DA,SHA256=7330D8F56AB6E047913FAA007D4048F18D0B5FD3C2A5FEC02E56019A7A72B558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:49.764{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1750EA9368986DE220581D7335752191,SHA256=604EFC446A5806EC9EE1DB9E8F667C4CE9CC642F847E3AD0C94D3D78DE20F29E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:50.795{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04240ED31AC51A4C34D4E6ACE3A436B2,SHA256=B9F028BD73BB69B4E82F103CB168389E18952FB07351FB4A3470A9A1B0DF0A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018426Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:50.506{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D21BC25B01513008B114CE0E5568749,SHA256=43AE3AC6CDCC6C9AC3B0044F6F90DE3751B745BCB035595D63FEC846E55B16FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:50.732{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\glean\db\data.safe.binMD5=C24A94F24648C0EAABF40C6079ABF4F7,SHA256=22FE0DC38F5802AB43BBAAEB97464F493A82549F97CDDC87652FADE7790FD5C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018427Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:51.506{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E754D0D05B31CEB5D97EFEA0392FD7,SHA256=E807CAAA0D03DCBFBC2100607C98087DB688909DE50F0C407CC4C4C93BE0BD4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:51.795{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2959DA77F15B28C1B169849B32AC82C,SHA256=58798D69EA37AE05A5EFE01FB922EDA3A68B226C651B9885E63E7F48352F44ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018429Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:52.537{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54EB8A738B819C41EB5F8970FE65ADBC,SHA256=5B8D3A541E519859FC64DBD947270143274C92C62D81C7AD6190E201F5EC7DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:52.931{C64CDE3E-1CE6-6227-1000-000000003602}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DD4BB194B1306EA225E9A7991C4773E8,SHA256=D518C2DC52652D9214AB91406B738316AA92E30AD6D5BBF3A8E54E2AD0D290D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:52.814{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EAF34553478478B77CBD3900AAC5F35,SHA256=38F6E847BAC33DCE179952AA3A6F5E4F8B0B16D78DCE98957173B5FA393EE034,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018428Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:50.321{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50410-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000034967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:48.604{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51087-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018430Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:53.537{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D3AC4C2042EA65F7A660FE90EEB18A,SHA256=61CBF396496397283B0DD9AA325233312B42952F0EE454B4CB42488F5957359A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:53.830{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47516B8EA7FCAD1DC7CBD81D2303AAF6,SHA256=2813D0137A600E5F8653771C9AFCB64DB0D82A5407CD7EE2D32679CFBF932071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018431Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:54.756{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771BFA4A46E6838555B19F3CF357C254,SHA256=18C990876CF9256F9DCF35BDF95F7BCB03D97198DB0472A2EA0C00E040A90C66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:54.845{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3399809668E2289FEB80ECE5CE469F9,SHA256=1A15E7B00C01F2062968499E50135032BBE69A339522404EFF09BC203E8783C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018432Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:55.756{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=006739A89EFA0047A3BEA3D23CB7EEE5,SHA256=9B5CB17B5771541FBB6B5A40F871E1993D912333E3421F91F01A4AB0AAD80ACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:55.876{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B875398DEF724FBD8E8EFA689E5077B0,SHA256=1F0C2F2088F878E0A9DF6E6947F1B8FDF6EE28626854EFEFDBF9DA964E7A9EAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018433Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:56.771{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9E98C4179474DC71D0B8EB47835A195,SHA256=1963139BF1B4B87E278EB9F6292ACC1A6F4609199787758B5DD43218C48EAB5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:56.966{C64CDE3E-1CF7-6227-2B00-000000003602}2896NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:56.897{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D4FC5D6A45B803D35EDDD2A6FC4011,SHA256=5D829FC92EC59B2433515447866BD0503CE9AD17A495BA884BEA0D24B6A24DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018435Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:57.959{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA1FDB02126C7D57D1A0155009752EE,SHA256=821C4FF8C3D74B67B5BB13E87E122AA2A67B4B2277FDCFC7A73B9D9C23B74945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:57.915{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C4CF631E6DECCC70CD31C637688B24,SHA256=34ADC1B1815238796D8E0E960CD6627478355546836BE163887238F8006DC6B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018434Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:55.336{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50411-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000034975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:53.778{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51088-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018436Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:21:58.959{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB89B484643CF3EB38191A499E5C9CFB,SHA256=586BB90A2D6052EB201435F6816DAC74DEA9461CE7BDAEA502A36DACA7479012,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2D00-000000003602}3052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:58.664{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2D00-000000003602}3052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000035020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:55.520{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51089-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000035019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:59.114{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE2940D50755BA45EB5D00178201F1A,SHA256=ABD4CE27ED36121C9CE840663EE273FDC1CEEBD2E731DCDD90B0201667EB7964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018437Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:00.037{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0464829C3A2146F418412564807A7390,SHA256=228D8EE9E6DA8D0E2C7257C4CDCCC58D046496E91F91CF5D004CFB2AE0EC6EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:00.346{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\respondent-20220308090810-071MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:00.133{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91678D17013A30B1060E28478238A0F,SHA256=498833CC89167A7B6B952F6898AD4B47929DB0C3F8DA7E25CA1863A336034C97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018438Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:01.178{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=326620AF9F38764CC35A90480C640AD5,SHA256=139EFD4BC797C1E50016DCF358EF9B611028C4CFC0E2B8808887210AED0F4A1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:01.349{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\surveyor-20220308090808-072MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:01.148{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5E5E607FC0E87AD14CC9E79364C370,SHA256=A839FCE1A7181D9BED83F12008354072D6B894CDE26FDE87BE17661A66AC7162,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018440Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:00.492{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50412-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018439Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:02.334{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66FFB6C5CE3558C1CF1535AFD07783EF,SHA256=625953483EA2AC7C00199B25CE079C84C0464B1B228835B79B9031C36724CDA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:21:59.734{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51090-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:02.148{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D25F548B49B5C648AA6C81FC45E7B9B7,SHA256=EB4D66447E86C8C9F0BFFB9700E2865860B92A44FC6A1982A123A3285B362E6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018441Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:03.443{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75AD0F70C3843EA652CFDB24037A4DC,SHA256=0D65C667103C5AFFD538198C720A7B1FE93012D5D9B6243756D21FE20E29D9F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:03.163{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1BB904FA7A9471552F612016CBC6181,SHA256=B7909994533800FA9D5D850C6C72DEC80E732C6401E81CD0E2BCC50B46D60FD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018442Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:04.459{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E570CC971B9D79E0763E009BE7BA5F,SHA256=D1FF89CF4D0BF2CA195F0C4A3D4EE7C3D94FC9D94A1DC4C14FBEA1DF99B4AD48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:04.193{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80BE4CA996BC8740DF22047109C2A36F,SHA256=38893CE453310AD44BD920EBB49E93D40C5755670E4911C91E696D44967471D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018443Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:05.459{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFEA62F63FD2342D439988137D35B910,SHA256=5540F653B4495B534DBCAE07150C8369AA1DCD3BC9AA7C989F62734410EA97E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:05.230{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91AD3C48C725B50E3389B37AC05D66D4,SHA256=23E003D9B2896EFAA5428045CB54972DDE22951C7E7BAD3F9FDE0F43B779202A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018444Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:06.474{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68516A199DDF4AAF27ED765EA06114F6,SHA256=AF25D0C84A58A4FAF2E5C570C1EE845C48EAF3AC9AF5F895B9EEE9628685CDDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:06.244{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDFE802C061B6CC3581A9B9C8BC4AC31,SHA256=EE0AB8B7CD21966B277C647D1ED1455BB01153DE13496788A07AB5A9D06063A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018446Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:07.679{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\respondent-20220308092036-059MD5=AD989BA5FC8211C68DEB145594DF29B5,SHA256=A92C9E9F939B5FA1DAF2D9D45D4066E44A16133766F98754DF452EC8E38921ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018445Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:07.476{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D85FEC28413D29CE5A3467C2F51C2E2,SHA256=E997B7675A4C02F7C50103E206FEBDE875CF80ACA00814ADE515D5C78824B939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:07.260{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=738866A52B70B05EDF8821C21E2D3702,SHA256=E42A52FC4C2E45A421EF9514D958E0B9081D4EC643FEC7BF651A77912F015F95,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018449Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:06.348{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50413-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018448Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:08.690{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\surveyor-20220308092033-060MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018447Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:08.486{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C7E78B4689F0865E75E7BD4241E51F3,SHA256=4215596E98B3E036D421DE5447F45065CC609535007FD6EDB725903F4E2B999D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:05.698{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51091-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:08.290{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B574B271FE53CE7E550D97A32F3B271B,SHA256=724B8F1718C33B764D68C634E68B19794022E179703994F3C934D81B91FFA3FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018450Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:09.488{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B4AC0155D0B27BB04F9D386F550454,SHA256=82170818E3F2CA39C13887EE5F0909C65D425742ADBE03685435E111BBAD87CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:09.291{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF61178C4957D87F994DFDFE21CACB81,SHA256=E53E48EA0198754186728EE7F7023FA016EB40995E096B3BFC7B14E288270F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018451Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:10.504{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C359B1E57F60E703729F403B8838C3,SHA256=270DD2AD3738F5E23263F2A04BF4F6188476DFE9160DCE16ED0DAD898DEBBB65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:10.308{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E919D390F3B276EE5DBD57881EE5E085,SHA256=9CB055ACA0C128D834EEA884929D618555717343ABE57BD7994DF18300EDB0FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018452Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:11.504{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5876B582F088609817AAAFC4BA91FEA3,SHA256=15520179FD8C9A7DAA6384DD3164895BF757B3F480676F7C44E441259EFDCD90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:11.328{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB2A3758363CDC3028CEE750814E6CD7,SHA256=6004A2B8E9044501C9005A4C4DB8AEDE46246655DAF7942988D72CA4053B5BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018453Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:12.520{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1647CF9CFAD1ABCED3580597D0B4C17A,SHA256=6DBE81F963462F9CEBCDE813D4B44B43DF4A6E04EDE716DBF95BC87660489992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:12.343{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3153379F3A6DF074D4C7EB9EAFFE33,SHA256=8A6E5A23A9325F94A8B7A9926556181B27D8900F5F9FF0705A078A7120FE6610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018454Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:13.520{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D3CD1ADFFA247DF1780F798DDC82B9,SHA256=680EB12A49F0A48050EFF2E789CA3E4EAD00E95C8DE68B16F547FD12DA6AC4A0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000035039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:22:13.907{C64CDE3E-1CE6-6227-1100-000000003602}400C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d832d6-0x60fded02) 23542300x800000000000000035038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:13.345{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE359403DF675EE081E80E3D57FFBED0,SHA256=C1D663E5D7E2AD1E008B7006BA7C98CE17AF2FCFEAD2B7A03E6C82A5548E92A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018456Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:14.551{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC94E01D7F2B5C1E3652AA933167344F,SHA256=420EC2843363C1B00025C82348DC1416DAF0C43C091073D2EC70C52DDBE5C9B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:11.712{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51092-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:14.359{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB9225D0CEAAF347191EA30C3FD3A5A,SHA256=27C254FE928CD4DA640117967C41BB3B66556883D545DE348C3D2A36B3F79E6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018455Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:11.381{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50414-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018457Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:15.785{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B3F8266601CE078163404B055EC60F,SHA256=11E0FA166D17B5E06A3D8FB860B9C8604B0253E98E7969BCDBBB0DBC7A85E1C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:15.927{C64CDE3E-2013-6227-1602-000000003602}17405360C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801508D8FD8)|UNKNOWN(FFFFF994344A5B68)|UNKNOWN(FFFFF994344A5CE7)|UNKNOWN(FFFFF994344A0371)|UNKNOWN(FFFFF994344A1D3A)|UNKNOWN(FFFFF9943449FFF6)|UNKNOWN(FFFFF801505F0503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000035044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:15.927{C64CDE3E-2013-6227-1602-000000003602}17405360C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801508D8FD8)|UNKNOWN(FFFFF994344A5B68)|UNKNOWN(FFFFF994344A5CE7)|UNKNOWN(FFFFF994344A0371)|UNKNOWN(FFFFF994344A1D3A)|UNKNOWN(FFFFF9943449FFF6)|UNKNOWN(FFFFF801505F0503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:15.927{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF4435ca.TMPMD5=847FF2A64311A111F9C46697989BEF76,SHA256=E334D2C69DEDC04CD4D70803894D1FCB59BA771169046B5DEDA16196007ACB6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:15.390{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC9532F9F6EB02854480909229587319,SHA256=7B7C1761572DFE8768C2A765F25D6D3AD53FB4FCD1774ACCBBD19F1E3FD16122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018458Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:16.910{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A11E2C89F5B0CE5719F76BB71E91E0,SHA256=48BD3C116E266D23775BD7ADD4DAB59C97927B6073AC64C17E2395B44AFD8CC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:12.459{C64CDE3E-1CE6-6227-1100-000000003602}400C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local123ntpfalse40.119.148.38-123ntp 23542300x800000000000000035046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:16.411{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A91C0E582B618AA2228C2147BD9BABA0,SHA256=BD868F7D360815C05AAA73AB53663A8E30078908FAB000308BEC2FFCCBE3DB8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:17.426{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F5198F9F55F714E12B030B767A207E3,SHA256=1FA9E909C6E6779D607608A794F97E1CCEEC1743C6172E0D35F148B166456EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018459Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:18.066{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FC8AE47A94AD8E8DC151DA296BB4688,SHA256=22B648C369FE6760D33D04F44215AE04C01B39AEE1F7FE1F23E52EE49D0BB2E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:18.441{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15E44EED8477FF309EB724B46C26CA36,SHA256=2C5B2EDAE7BDD69E8F2CDC3DA162584EC93B9169611571A54FE552619E982150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:19.471{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B96A5E083DAE414C76E60A1030CE1BDE,SHA256=FAA885EE7CDE196E57E2E6727EEEEC86218FAB01D1CEB7873A31A71A1B853917,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018461Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:17.319{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50415-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018460Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:19.113{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D220FC95BA49D04A1C436299542D93F,SHA256=581E93ECA76D8C41F406EB8E20841E2D4B9DD2BF36DF0E81E4F239EA28C5292F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018462Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:20.145{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40CC7ECD9419EADEE9DEE0EE650C61E1,SHA256=1D8288673245C4819C158B389FC697F14205525C0EF00713A9C5C00F77BEC9C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:20.954{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2E5C-6227-1208-000000003602}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:20.954{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:20.954{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:20.954{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:20.954{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:20.954{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2E5C-6227-1208-000000003602}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:20.954{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2E5C-6227-1208-000000003602}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:20.956{C64CDE3E-2E5C-6227-1208-000000003602}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:17.609{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51093-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:20.486{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C8ADD0E178A953FBF7EF30E5D98DEB,SHA256=BA8F7215E977EF9FA168163523010FB6685E2D6A0505526D931AA1A6C4E39C5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:20.406{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2E5C-6227-1108-000000003602}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:20.405{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:20.405{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:20.405{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:20.404{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:20.404{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2E5C-6227-1108-000000003602}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:20.404{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2E5C-6227-1108-000000003602}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:20.403{C64CDE3E-2E5C-6227-1108-000000003602}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018463Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:21.363{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D061B2B3571A4D3F07A786FD2F38A8C6,SHA256=54E3325F32445C0BF6D60F1938F0CD12B0FC267C29553CD4447F47D02628BBB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:21.486{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CADB4B5F1F64FC4AD0A9B61A1B8274FA,SHA256=9A6BE18CD542401F3F41FF4E8D6184D0F1F2F0866221BF629403EF1B5BBF5FE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:21.424{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E60B8D43C44A12A515D59A35B5CF378B,SHA256=0B530A0BAD458046B1411932580A531E27FD7CCBF98DB7C8D95E139F12F4C8E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:21.424{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F1F5F415D11D215353B6B4BBD16D665,SHA256=2A9EBF20A661B32DF3FC8BAA2294C6AF1ED7A59C8C21378E7092F74089E2CF0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:21.138{C64CDE3E-2E5C-6227-1208-000000003602}46286488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018464Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:22.488{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042F13164C33B81316817DD370C9582F,SHA256=158E6F20051D10ECBBE9B5010BD440EA21554E8EE829366852690F4F3F2F51AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:22.655{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2E5E-6227-1308-000000003602}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:22.655{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:22.655{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:22.655{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:22.655{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:22.655{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2E5E-6227-1308-000000003602}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:22.655{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2E5E-6227-1308-000000003602}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:22.655{C64CDE3E-2E5E-6227-1308-000000003602}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:22.486{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C63EABB4198DF705B7B7ABC31353ADC,SHA256=3A6EB8CB566722BA8F6C0AE419BB9409123C19F686D5C423556FF929DB3F91C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018465Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:23.520{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F537AE12D95B4C162BC05EA9601EAEA,SHA256=4EE1D6CFCEC7613FDD44044B9EC8990E5F3F3250AE92DF806B5E1D6B2A022F0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:23.754{C64CDE3E-2E5F-6227-1408-000000003602}65606732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:23.669{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E60B8D43C44A12A515D59A35B5CF378B,SHA256=0B530A0BAD458046B1411932580A531E27FD7CCBF98DB7C8D95E139F12F4C8E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:23.554{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2E5F-6227-1408-000000003602}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:23.554{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:23.554{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:23.554{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:23.554{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:23.554{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2E5F-6227-1408-000000003602}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:23.554{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2E5F-6227-1408-000000003602}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:23.555{C64CDE3E-2E5F-6227-1408-000000003602}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:23.505{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF5214A83DD0AE6B3E6A2624CBBF5135,SHA256=33C539D14B399FA0B0B5F4D202BED89E0987C2B9D6F56268B63FB8161BC29CF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018466Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:24.598{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B158EDD3860EF36DDD2E59CD829A6EA9,SHA256=491D749459D9405D9C853FE74E12D4BCD518C89BC8614AB160F6CCA7AC3FE4CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:21.769{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51094-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000035094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:21.769{C64CDE3E-1CF7-6227-2800-000000003602}2856C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51094-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 23542300x800000000000000035093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:24.522{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6591ED0230476B032F420007845ABF7A,SHA256=9EBB1178B53B5F014ACF2A1E5A8CC72EEAA5BACEED464D0D160C096FDA731D8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018467Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:25.613{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F3FD3DBFE44BD8C5B9E6F46587334B,SHA256=13F93592F183FF92F7EE8923CD49481050D24B12D7E4726F48D89BD7E1E74044,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:22.637{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51095-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:25.553{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54FD39F488184CDEF8B813A88DA1789B,SHA256=07F102E31D9F294F696F063E7A0EECBFBC94FB5B6EE506D5AC17400624569B51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018469Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:26.613{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=151F1FC27937910381270E85068A6585,SHA256=7041CC919D9E439A85CBFBBCD089B3CF73077B9C542CEC8FCDF1B012B9ECFBC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:26.987{C64CDE3E-2E62-6227-1608-000000003602}56687012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:26.683{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2E62-6227-1608-000000003602}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:26.683{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:26.683{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:26.683{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:26.683{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2E62-6227-1608-000000003602}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:26.683{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:26.683{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2E62-6227-1608-000000003602}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:26.684{C64CDE3E-2E62-6227-1608-000000003602}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:26.604{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C702404695AFA676A859D0EEAB9FC4AB,SHA256=B078E27F3D226A355D2C4849B47150A9EB3257C2E315F6A74115E584F64681F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018468Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:23.288{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50416-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000035107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:26.420{C64CDE3E-2E62-6227-1508-000000003602}57844972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:26.352{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\glean\db\data.safe.binMD5=D6CB9416C0251C17B2F4B7DC4ADB73D6,SHA256=9FF062C6DC69842878B5976A189B521E701FCC38A870B5AC6D54727C2CC668CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:26.183{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2E62-6227-1508-000000003602}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:26.183{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:26.183{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:26.183{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:26.183{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:26.183{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2E62-6227-1508-000000003602}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:26.183{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2E62-6227-1508-000000003602}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:26.184{C64CDE3E-2E62-6227-1508-000000003602}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018470Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:27.616{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A51BB11F368214B9788E0D622EB5916,SHA256=EADBCF7F38213CADF4AA88196704673B1B0CFEF73CE4FC638D8F6EA969CFA5D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:27.635{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680B012F830FE2B039E659F1FC2DC784,SHA256=A455F2585D9F71F74AF912BDECBA73BDC6D0E5B1A2631B9B554E1C3F9C53712D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:27.351{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2E63-6227-1708-000000003602}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:27.351{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:27.351{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:27.351{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:27.351{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:27.351{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2E63-6227-1708-000000003602}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:27.351{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2E63-6227-1708-000000003602}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:27.352{C64CDE3E-2E63-6227-1708-000000003602}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:27.220{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B28EC2D2BCA0969208E35D608716C750,SHA256=DE1ACBB742ED0D041F747D2786B0E36B6CC8644B9F11E7B5B140A5572E555AEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018471Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:28.678{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5431693D8ADF1FAF989DE9C8F04BD1B1,SHA256=138B3FBD0BFF40374E857C08DAD63269F2845542741DDCAAD32C002E941F3BD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:28.667{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F8044FE96B1543ACB0074AC3E4B517C,SHA256=69DDCDA095F0CAA514478D2B1C87B19BE2D48409DA5E46EF50060FFA7925904E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:28.367{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C212140CCA7A195224BB44B7A30B3F7B,SHA256=DDA6A0F240DF49FCDAC9A394700898F05219C6F86F1166B5DC763B9DCBEE2F58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018472Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:29.678{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A4587E672ACE32F26EF82E215B6A195,SHA256=C7D5E4EC75C18448A9CF02B58B1E01126190AC605E3B1C1FB7FF2AB904238508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:29.682{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C295B05F9888DB488102CAA9A11A3C50,SHA256=AEBFE638870A63FDF18E2ACCB40103AA1B05E12E48AAA625AEB5A39FED620A84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:30.699{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=058318BD5873112590BB5057F3981BAA,SHA256=196C35C1504C62440C37EBD980151B462993D7D1EA23753D8E122126A3B257EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018473Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:30.710{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38590DA2CB97746AAE64CBAC350CD4CA,SHA256=19BF2E18B208B9CCFA19EF5F785FEE7AFFA1A9508800034A2AAE52F4A81A41B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018475Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:31.710{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CA0BC157AC061B723735D7B5665B096,SHA256=B018792ACB84DE2D55C48742D046B5365FFE4B22F44DA175E417014D02DBA1D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:31.719{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9CE7B5BB94D8E978C7F1E382ECC8DD,SHA256=72F8308692E581E15BEFE856CACD4EB523BBC1BA29AFF61F523E566D5A4FF11E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018474Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:29.290{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50417-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018476Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:32.710{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C739898554CFFAD010792499E12B787,SHA256=F23149839820C66A32A99EDC27B1E103A3E59DCE093F1C3E3E463425FA27BF0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:32.733{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F28F2E4DE0A09C0CC13B5D86FE6EA46A,SHA256=61A91D38FD304544441346917CD79574E33AFBE1A895DE90AEB748D41ECD66E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:27.702{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51096-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:33.734{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF026B3DC9BFE9E24593BC54F39999C2,SHA256=5DE4E1DD9726EBEC0E64BA57426F2C7E1D7E5CA577475F2D7403B86EAA88420C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018504Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.569{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2E69-6227-6D05-000000003702}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018503Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.569{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018502Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.569{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018501Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.569{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018500Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.569{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018499Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.569{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018498Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.569{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018497Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.569{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018496Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.569{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018495Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.569{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018494Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.569{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2E69-6227-6D05-000000003702}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018493Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.569{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2E69-6227-6D05-000000003702}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018492Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.570{DCBFC465-2E69-6227-6D05-000000003702}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018491Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.553{DCBFC465-1FE0-6227-1200-000000003702}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A9AAACBEF1E7D33B52DD515AA76E32FB,SHA256=27CB98BDA4CF538062A6B22B5A6B5A2FD80879A3A8CF13871A11EBE6D02F60D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018490Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.397{DCBFC465-2E69-6227-6C05-000000003702}39082744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018489Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.069{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2E69-6227-6C05-000000003702}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018488Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.069{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018487Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.069{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018486Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.069{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018485Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.069{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018484Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.069{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018483Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.069{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018482Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.069{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018481Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.069{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018480Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.069{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018479Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.069{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2E69-6227-6C05-000000003702}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018478Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.069{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2E69-6227-6C05-000000003702}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018477Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:33.070{DCBFC465-2E69-6227-6C05-000000003702}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:33.149{C64CDE3E-2013-6227-1602-000000003602}17405568C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:33.149{C64CDE3E-2013-6227-1602-000000003602}17405568C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:33.149{C64CDE3E-2013-6227-1602-000000003602}17405568C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:33.149{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:33.149{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:33.149{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:33.149{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:34.765{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3788C01A729CB4B7AC6D4DB730F358A7,SHA256=36872A6556EADFF8DD027C0030ED315B6F2E660645D6935BFB7918359156005C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:34.116{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAEF0F82E1EEA746B0DD55714A604846,SHA256=CC137605733FF3D68C4E67197F11836B50C10FF92F36DCA446B95D774D524F94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018506Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:34.116{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95E74075037BCFD513768A6561A90B62,SHA256=1C7BAB20EFB4B20C13DA015CE5134E7C67F671934C385FFF98EEFB6B7729CED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018505Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:34.053{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF34B3AA59C132768F5FDA1ED085A1E,SHA256=CC4F637766079BE255A3E58600FB821E7EF625E8130A0D48B66D3BD9C7D7AC5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:32.785{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51097-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:35.798{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B6A6D154AECC4D39AA4FAE0346EA62,SHA256=1B5DC83E3352A8C8972085EE9E7767B032AD3B75CDB774F9815E762C6BB2BFC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.585{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2E6B-6227-6F05-000000003702}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.585{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2E6B-6227-6F05-000000003702}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.585{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2E6B-6227-6F05-000000003702}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.586{DCBFC465-2E6B-6227-6F05-000000003702}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.335{DCBFC465-2E6B-6227-6E05-000000003702}26243100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.085{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2E6B-6227-6E05-000000003702}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.085{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2E6B-6227-6E05-000000003702}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.085{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2E6B-6227-6E05-000000003702}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.085{DCBFC465-2E6B-6227-6E05-000000003702}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:35.053{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89109514041643D754E21EFFDE6D4B77,SHA256=1024B2D7B77C0A5B2F4B784F65BDABE360AC92C8E62BE8B7098612B7CF2B3079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:36.817{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC8E02606A2D719FD603E9E91D7D96C,SHA256=40A28EDE67EFC5FC533D8B82DFE1615154F22315A66834613E28CC7B57D5C8AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:34.355{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50418-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000018568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.835{DCBFC465-2E6C-6227-7105-000000003702}28443164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.756{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE0-6227-1300-000000003702}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.756{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE0-6227-1300-000000003702}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.756{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE0-6227-1300-000000003702}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.600{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2E6C-6227-7105-000000003702}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.600{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.600{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.600{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.600{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.600{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.600{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.600{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.600{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.600{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.600{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2E6C-6227-7105-000000003702}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.600{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2E6C-6227-7105-000000003702}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.601{DCBFC465-2E6C-6227-7105-000000003702}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.413{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D902620AD4D83DCF9E31701215B7A29F,SHA256=2C29B140122288DCBFF6E34E09C5115F9592EC666FE4A16572A4F86297A5E5C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.413{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAEF0F82E1EEA746B0DD55714A604846,SHA256=CC137605733FF3D68C4E67197F11836B50C10FF92F36DCA446B95D774D524F94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.350{DCBFC465-2E6C-6227-7005-000000003702}2180356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.100{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2E6C-6227-7005-000000003702}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.100{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.100{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.100{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.100{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.100{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.100{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.100{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.100{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.100{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.100{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2E6C-6227-7005-000000003702}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.100{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2E6C-6227-7005-000000003702}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:36.102{DCBFC465-2E6C-6227-7005-000000003702}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:37.553{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A49F49F5A559F102287448CABD34C0,SHA256=0CEBAABEFEEEABCF2A0AEB428520A83DEE37DD8EF4C4D5F7AEBF27041CA0C593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:37.553{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF4729FCE49C8AEA8E5E7AAE38D5CC8C,SHA256=9AD7235BF971A424561CFA8B8A058150A2228D0DF6150D31D6F9A24C3E21F146,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:37.832{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=938FABBF6D511BFED1A3D7F455E1700A,SHA256=CC9BB56184722DC0DD1FC8FA21606A2D1D7629AC631AE5944B286FC5899D4AD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:38.694{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFAF9AAFD5AB3B81153987C4CBA6E743,SHA256=A77A111FDDF74E538388543A849391E5C5EEB7F97705C361CAF3D50B7518C951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:38.879{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB3BDBD7D4670F342825B4B7AB95A79,SHA256=CFD18F726EF53BC20A2A6EA10F9EE07EE112D5A49F28126F552D2300A7D843C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:38.210{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:38.210{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:38.210{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:38.210{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:38.210{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:38.210{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:38.210{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:38.210{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:38.210{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:38.210{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2E6E-6227-7205-000000003702}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:38.210{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2E6E-6227-7205-000000003702}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:38.210{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2E6E-6227-7205-000000003702}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:38.210{DCBFC465-2E6E-6227-7205-000000003702}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:39.710{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26986BFB3BCE1FEE3D6171057BA278E2,SHA256=0B329696A2253728B2C5C3A640958974C6DD75DD672321D580F952BA19AD13DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:39.896{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E38422372BC3E0459008F2346ED3CF08,SHA256=2FE4F876DEC4C6AEC371D912612E3FA189C7F7980A18855BEF2E436664A8813A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:39.244{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84FADF7C9D320442DD940505A822A536,SHA256=B9D13CF69A283E44F38672B3E567737B8A3AC62101D41BE680765B68AAE1EAEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:40.931{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1CE29F9BCD1D34509F0DF578A6EDC49,SHA256=C706F49DB87FA7832BE8E63C7BF25B1CC77773731209519E12D369224929BC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:40.710{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D848287FFF0D604A8CD5E571518ED1B2,SHA256=CE107626B8E95819068D65353C83BA84DE6B266A284057B6ECFCA0E292924D9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:41.710{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B187EF36AC5DD310B6879B2476E8A87,SHA256=FF979D02F265807218DB4ECF79112B6D3DD8A8D8AC847ABD3AAE895633708D78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:41.945{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3B8E86E4EB2E8FBDCEAC7B605F8503,SHA256=7E94B792EF39FAB69E6ED6A94EB97273D3761326A95B9CA41AEB5BF982935481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:42.725{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9598520A2BCE38BEFF17C9988947E9B,SHA256=3BCFCCEF910524B720FD2B55BD992EC89163A01C4175B474F42F61F3EB538E8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:42.961{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47EB572E0ABC3894895A74A7E22E56F,SHA256=D1702851CAF65DD1C060C4CCE0B3222667F98B07E2D24209234340FF7C564E27,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:38.644{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51098-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:43.741{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EED5B0C818F9907E4B184E3109E36B2,SHA256=7B0CBE8E56F86075391DBDDF45024296FFA6C7CE9016C161F066FDC304C6472B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:43.994{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=303B1DA3A27D931A993C14A12CC02AA4,SHA256=5B94D7ED25B5D79343C7C22C2AAB90832F7D5C342A764BB3D569BBB3E9E4A63D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:40.359{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50419-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:44.741{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8BE9B044E69CC9433377E6963628474,SHA256=53FF7CCBC903BDE476A8B5C4779DC039D05E6E2ED3BA993F5FE6B9B1238504A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:44.241{DCBFC465-204C-6227-9900-000000003702}3048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:45.756{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00E50BDF65EDA38C170D473AAA333481,SHA256=21FABB786990F91BC539A67F4FC9B4BD325045DDEE3BDF085A2BD499DED88E12,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:43.493{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50420-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000035155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:45.013{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B1EFE8ECC81AD6E66607D0D5254F28,SHA256=084118966C430AA7B5FE429F75BB03CB83006597576D99197AAC2FF1A54F8145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:46.761{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EDBB3A76A414B1743CFB797AE29AD07,SHA256=CE0DF58307D5CE4D94F7AC0C9A7ECDAF6697636CBF37E7028379143406190E5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:46.027{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E3817C25BFAFEB85C8C44D875136869,SHA256=E6C4A14476E575F06BB4D84F59F1B5D5AD2DDD14BD0BB9D5BADB6B3D90A37F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:47.777{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E1E03E7C54E3C32B7C0CE4CC5FE355D,SHA256=887B01DD54EC34675175093BC4EF793A88F28FA5E7F0B68BDCA80A3B3BAEA000,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:43.710{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51099-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:47.042{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A9023EE1CEEA46CA4016692E516DAD5,SHA256=4A7FBE814B1ABD8D66F97BEC4C5D61CEB0064F23D6EE0DD84D753795CB882E0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:48.777{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98545893EEE27FE848971B20B4E59690,SHA256=A3615C478C3D480CE408EEB059321D4122294E6451C46DB9C0B18D6E53056555,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:46.357{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50421-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:48.073{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D6C441F4A275E7B137E4E71550B580E,SHA256=8F80587940B53EABD9D809C09A381E476383036192F4CC678956DEEA52A9589F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:49.793{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08AE47645FBAB7E687418D62D0B5A835,SHA256=F9F690E9852A90601F38FE7484F5337EE9A92DB1B775467C44E475F630B742AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:49.091{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6981A8367DA4A1B9818A70539C0D0D45,SHA256=6561B17BBAC12CF9F186066C3532157EB4160584E73504F8EA36E2DCCB64928E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:50.112{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43E802EAD1A290D51C395ACD3B20911,SHA256=6BF066E0F3374D053665CDB8CBD1286F53492152C46ACDC858E4FB8FD6F6F28D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:51.011{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A30715B0475FE5A81E6D7A761B3FEF2,SHA256=259A6A0669BC634AD10131B4A61CFF6341724D3CA9A83B55F2DE70B7E2274FA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:51.128{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D29B5B4E6141A02DCF86800616319E,SHA256=4E9BDE3F1511D4795A90B6014CA5D0A0FE7926F146CE611DF926F46110E54846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:52.074{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5DDF10927614AF00E9066CFCE2D7516,SHA256=A93C60566AB93F242904939D224C331A02BD54EBAA2A1C5E16811D3B08027B34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:52.943{C64CDE3E-1CE6-6227-1000-000000003602}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=031DC7A15BF92EF2B1BFAA7698675600,SHA256=E34A90CC1BC3123FF5B28D42B2D26FD9577BE641994E88268CDA471FB95A26BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:49.455{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal61222- 354300x800000000000000035164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:49.454{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51472- 23542300x800000000000000035163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:52.143{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD9132A85218949849E33370DD12ED12,SHA256=C17ACAB086A598EF16B5BA613A07F3D0204073B174F8D0B3248E635803486B57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:53.105{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AED58C849BDC9D029EB03CC9435C736,SHA256=F6D2AB741184EB847C7065836BCF4A219CD4243BFE1A5959F3DA12773F2757B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:49.710{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51100-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:53.174{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F93457E3E7FB05592B4913E3298FD3,SHA256=BDDD144638CF1B9979CEDD0D0070C5868B9C60B0535A071673BD2BAA104B8C98,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:52.358{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50422-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:54.168{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70A5DD308800B497E9657BD164836037,SHA256=221D45BF00FF5496EA0A9E0C92D0E772C653CA5224AEA40B461D1A0887263ED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:54.195{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1D640391DCF8CEFD88EC42442389D1,SHA256=A3236CDA0043206FC51A082FDA745585CB6BD8E4640D3386B0822AE6AF9636B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:55.168{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA852C688BC35B6847534902139F1FF,SHA256=BDEFC61ECC074AAE37CED65FC77F551A44A3E2EF2E4E7EE259316473AE31F079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:55.210{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2152760321EEECF44F5F84669CEF4323,SHA256=02063E63393B1B39E6F129EAFE0EFE3294FB4BC5801C5C954CC9DADF8A62BD0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:56.214{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AE686B71CBC68E237A2C230C597C89C,SHA256=ACF11BFA8D84FCC654DBB8A63CF26E45D32AC3C49CBDA24E4CB4384C47EB956E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:56.995{C64CDE3E-1CF7-6227-2B00-000000003602}2896NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:56.212{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3BF12B2EDA28200FD1088FABF1F2EFF,SHA256=8431C077153C3847E119A59EBA457C3E5465F521857BFC4BDA233C1006392BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:57.230{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4727AF1CE8735CBE554ACFC1CCAF232,SHA256=31A4029E13D74206A7A05C309FF4A28E8202A277CD6A8BB251624039B7A0E566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:57.213{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF1CD1C6621B9076957D51B44A3CE947,SHA256=4A3E7E1D9F905CF9C827F5807A18A48605F43362F2D2BDB6E698280111B19771,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:58.355{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF45BB9BAB2C310702B87C3FAC137DF9,SHA256=48CC41CA017C22B7301D641B120C6EC19060253E7BC3A5675D2F6E8FCB443F89,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:55.540{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51101-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000035174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:58.243{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53B27B4DF769BCE2DF9B7EA6946B88C,SHA256=E849782245AA46A7FC1F8AFB2BF20AD7993FA907A9F35D5083A04C31FCD01147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:59.589{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF0BA121FD5E6B8B9C1D6C2145AA5DE,SHA256=EB3FD89E7C480391C5B9D99225C93EB4154A3157C687987D972EDDC3658C2B5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:55.693{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51102-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:22:59.274{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC5FA273675BA537E8A04F9FE201B40,SHA256=18CB68C6DCEE6DDC541586172B7602C691203804A199317CD31D2449F0102385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:00.777{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0776985F2F50949C6C035D15212E56,SHA256=BDF21E52012EFD3D2DBEB10B071BA728313B2681C29F952BFE481BED7D90BFCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:00.294{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33FE67725B3EB43C3E2EFB997B26854C,SHA256=A5C704B737AB525C97336083F59D58543F2E05CF59EDFB9B4BBB29B9041B05C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:22:58.357{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50423-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:01.839{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A57733A9C86D38E001685D5C6DE90D,SHA256=134021A5357D2C60B0F46E1ED2800E87813C6F1065332E0DFBDEA1D167C8C124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:01.910{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\respondent-20220308090810-072MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:01.309{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A3FB8A492F81B5DFF39F27CD5B3B90,SHA256=7C40A136F7018E995135F78F0C75C570D17221E6D0131D57876B18844766906B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:02.839{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0294281BA47F625F3675F2E894AA61BB,SHA256=07DA94EF9C96EC77F24B3896CEE9F5102E4B17333FACF86C6E093C64B614EE1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:02.910{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\surveyor-20220308090808-073MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:02.824{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0A5FDBDEF47FFE0F37EB23802C8F9E9,SHA256=BA4125C3DD4F00C80C1117969B11736EF7C68611D637104C818D81CAEDADD4A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:02.824{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2F8EE853F993B0CD5CEBFB3D3F215D0,SHA256=18407707D7FA1EFD44E6F1783A4D018AA98A9D5DAD3E41464D6D98F8F2A6DCCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:02.324{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8FC47BFD32FA5B19EEBE0838DB72EAD,SHA256=0E50F21A58C15AC8E4AC035705510159142D4B7A905F7A32D9F272149A4ED041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:03.839{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0DE0C995A1615BB39F4FA48792FBBFB,SHA256=992046E1B4CD3B0B16D12938405F0DFE544281301D87E291371747B50383F670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:03.344{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF8AD0BA6905ED87958FC0FD3A7B63CA,SHA256=3D31C85D47CBFD22E39AE8FBA9D46532A9641762DF6C39AC01E063D24899A3D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:04.839{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2169D7A8E69A0CE12DFB0D32E48D89,SHA256=F13579A98EF3D0679DD2D5629FC20AA250A3FBE381CFAC4D9B902F428C59E839,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:00.790{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51103-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:04.359{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA5923AEDC8395EB27B757D9E7A19DE,SHA256=12D9EE421F42E9CAC56C94A993B0310D6C2B47FCD2C4ED255AB9F1036CB260C1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000018617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-SetValue2022-03-08 10:23:04.793{DCBFC465-1FE0-6227-1500-000000003702}604C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d832d6-0x7f527bd1) 23542300x800000000000000018619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:05.855{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F84E533290BDE07E91F2E456CFD5127D,SHA256=78673B6A143F8F857923720CABE6FCA63871FFB58D92D4D6C80533EFE9E58DC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:05.375{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A8F4A3FDAC0223BDDB4A0FBC3D84D2,SHA256=916532691C00D06A968CB9C33B7B9FD64B79AA23814824AE1ECFD766A70CD5C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:06.860{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B063A10BE57223C4EEB5A8A5611DE5EC,SHA256=730B94FC2DDC1282DF34E1C4ADAB23C6358D0B7D9C4A57AE03805D0AFEE0025F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:06.411{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B7D5AF4CDCF885CB0C7024B91AF787,SHA256=829A0F2FE8F702D203ED770FCFF61A8F85312B15C7051C09C1A7B30FB58EF7B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:07.876{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00EA02E07D10BCA0829901CF1028FADF,SHA256=AB05EF69612A42AA988C4D77B48BDF55040D50A8BD6CEFF17AC95400AD56E404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:07.427{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10057FB8892ABAA995195FD58B0922E,SHA256=8DC368E39751C65A36CD8B3518D2FB9302E8E36B06B08EAE454CBA979299AE0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:03.436{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50424-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:08.877{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46042D933A3588E48132E49C53AC702C,SHA256=7E8FD1D3C129A0721C8FE17AD6A45CAB012FCC179E922A01FB4C3B69E6C4C1DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:08.458{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4B79BDFDAD74FCF02AC7C3CC1071B6,SHA256=31C28E6B418720243ADD5FD15207DFCA9DA9D545EFC68A4398D92C7F60EE9C7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:09.893{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36E408648E99FA7E18915C357FA0F55E,SHA256=A72018AAA79787901165E2E830372098DCAA0F442DE8D9CACF3DDB4C25ED1F37,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:06.657{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51104-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:09.490{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A546C2868719D66149002D7E50908D,SHA256=A0B88DE18C760249766E7580CE4355D3F404F869492A14B02C95A6C9F7A2C22E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:09.208{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\respondent-20220308092036-060MD5=AD989BA5FC8211C68DEB145594DF29B5,SHA256=A92C9E9F939B5FA1DAF2D9D45D4066E44A16133766F98754DF452EC8E38921ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:10.894{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4390F9F6B15AF25D075F06F05E2B1F0E,SHA256=84FB2A3A76285432E84EAF8ACF4714E1CC486ECBADFFD6F525EF91688CDE7768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:10.509{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE64BA23E3BD0435D879EDC37C0ED1EF,SHA256=BD6175140D5D0B0236427DEC1EBF8A717A903E233EF76101D3F1F2B4BFF371F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:10.222{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\surveyor-20220308092033-061MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:11.910{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C828A718736C935BF2E0D13B719308B8,SHA256=EF36AD40506775B2EF60177C42F8B7892DD36BED919D88A13936DF6A5E9A26C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:11.511{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B6C287E167C6641B9622BECC811A9F,SHA256=D86086D4962B8D24C68EDBA5E32FB3F46CAD7C125DF51CB1D89B89ECBC81F03C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:12.925{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16BE048604D237CF1DC4B7EFCC20F82B,SHA256=EB79C70AAB43CEAF4BABFAA1B099A30ACE595B29EE54CD87A15FE082AB2DFEE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:12.514{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226EEFFACAFD92E8E5635DEB23266842,SHA256=51CE81F9511FCAC60FD2D281307C7B0E14907D20EAE2F6CD42F35EAB9E5FB29A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:09.364{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50425-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:13.941{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9217355718F57AB662F69C5365A4A08F,SHA256=C2E3B266434F5F8C2209046ED34F74F844F4197F0A60313AAFDA082622348882,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:10.485{C64CDE3E-1CFA-6227-4500-000000003602}3652C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51106-false169.254.169.254-80http 354300x800000000000000035198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:10.484{C64CDE3E-1CFA-6227-4500-000000003602}3652C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51105-false169.254.169.254-80http 23542300x800000000000000035197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:13.529{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2197B809E71A040BDC63ED5988759E,SHA256=0F6DF2EAA335B40D63D610A73087CBA4EFD5F4F9D3C15261263E65F7868A3D50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:14.544{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=645671EBCFC3D835AB7BD2A6DE29740A,SHA256=685597E0AA7FCCA14B3354B48035018AB4CD8D902FC06D60F76B2D26823F3A6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:15.160{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD6C6ED9A1D5C75001F12465DE014F6,SHA256=D328CEF9EF0D60387CE06648E11118221737FB15FC93E1C11D7BAA504DCC8D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:15.594{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DDEED6EFD2993C44361C731F507D94E,SHA256=F9E6C130E6FAF05D89012D9CF7A734005B515D352206ECFF7C2BF76F9924C10C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:16.363{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB445DAB7411AEF912E853B41A19EA9,SHA256=8AEF28EBA5BBB5A39D2A15A8B14C76286BD679AD5C02253991CDB0254EB64350,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:12.658{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51107-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:16.611{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A779DCFDE8E60D7B73FC95DBFE89F79,SHA256=52361C3DF57922DEBDA8E2011B8EAF2AFB1332EA19008B939967B523760F0E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:17.394{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282881570E7A18DF55427715451A1644,SHA256=4F77C4F7A07C38805CA447883AAB1BE9F2A27BB07B703AA5547D61DB319CD000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:17.626{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD9523CB1A9BEC874FAF30DD177DF91E,SHA256=2FC85CC2723D2EC9B4F268BB9E5995EDEB7C6C23AE5A735F676643741BD630FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:18.628{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ECE222979BB4E3A396A7085780149D1,SHA256=208ED8858935B83A63ADC2B173CBA24A68EFDA40B511EACEDA6B33C511014C1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:18.642{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=688C5C25E9C46BB251156365B85C4EC1,SHA256=370234651442CFF4F128100F89AC8B6FD4D94D73D516D991D2F8A26387BBC2C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:15.303{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50426-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:19.847{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B3919AD6375B6F0D74E0C2891C6CD4E,SHA256=40848C27CA4AA826A1EF3BC45F5F169730193710272D95C3D1EE2180F314E14F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:19.673{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF329BB7E2C968277F7E222BBE75CFB4,SHA256=2E39020BA9FA8D407C81BE36F57B4ABB393AEEAB35BC5DACBBF4A0B03BFA6B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:20.910{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E306665E7A78252212AF3211137CFE,SHA256=505BF1A1CE41A0C13AE17EE79E003C09358BE6EEAB1B06FA81BDEF49B858BD86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:20.971{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2E98-6227-1908-000000003602}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:20.971{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:20.971{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:20.971{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:20.971{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:20.971{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2E98-6227-1908-000000003602}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:20.971{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2E98-6227-1908-000000003602}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:20.972{C64CDE3E-2E98-6227-1908-000000003602}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:17.774{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51108-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:20.684{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7865DFD17C0C8A1717AA3319FAB8FEB2,SHA256=DD06B5C0B0D850ABA36EFA44CC231F62CFAD1AB5625A105C3B81530E59A8022C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000018638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-SetValue2022-03-08 10:23:20.816{DCBFC465-1FE0-6227-1500-000000003702}604C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d832d6-0x88df73d6) 10341000x800000000000000035214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:20.409{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2E98-6227-1808-000000003602}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:20.409{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:20.409{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:20.409{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:20.409{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:20.409{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2E98-6227-1808-000000003602}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:20.409{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2E98-6227-1808-000000003602}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:20.410{C64CDE3E-2E98-6227-1808-000000003602}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:21.972{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A77CBA8AED93BD4E89D1ED57088D65C1,SHA256=9177E5E3D05438F1A3233B0AD7EEAF3E4CB14360389697F5D81E64176F5BDB3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:21.692{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04257520323E7D09DDA374A08684AE1A,SHA256=9FE9EDEB2DCC23ECDBA98F0E115D07BCC0E426F0932AEB121934C6B2CF7CB66F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:21.428{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F2E625205E531D3F18069D363B7E604,SHA256=E762BE035AEE461F1C65575F43D9711272806DA52440A9DA9F7043A8D2D8A47C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:21.428{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0A5FDBDEF47FFE0F37EB23802C8F9E9,SHA256=BA4125C3DD4F00C80C1117969B11736EF7C68611D637104C818D81CAEDADD4A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:21.294{C64CDE3E-2E98-6227-1908-000000003602}59725452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:22.972{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D52E9CB645381FBCD35F05AC8DC9C9F,SHA256=A1CC454D356D5F92C0925F2EFC9E64EAB020D3478AE94A36C1CF756EBA6B811F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:22.744{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA9A099969049B73E7032D205669FDA,SHA256=36037690D1F4CDA6B9D32BDC149EAC25988463FE13FE444922DD142F7D3A2BB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:20.052{DCBFC465-1FE0-6227-1500-000000003702}604C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal123ntpfalse169.254.169.123-123ntp 10341000x800000000000000035236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:22.659{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2E9A-6227-1A08-000000003602}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:22.659{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:22.659{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:22.659{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:22.659{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2E9A-6227-1A08-000000003602}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:22.659{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:22.659{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2E9A-6227-1A08-000000003602}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:22.660{C64CDE3E-2E9A-6227-1A08-000000003602}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:23.988{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19EE67F437BC0B24F4FC9E7030342E09,SHA256=120264CB498E5449CFBD0D1283B39CBD0EA3E0C6C66A0851026C1DEC0681EB82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:23.913{C64CDE3E-2E9B-6227-1B08-000000003602}51165696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:23.760{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66285D902E7097D127ACEE53543AA9BA,SHA256=7A101F6C85EFC8C93AB488A868B8735D2027CE880C820AD45202C82740BD9D6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:20.428{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50427-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:23.690{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F2E625205E531D3F18069D363B7E604,SHA256=E762BE035AEE461F1C65575F43D9711272806DA52440A9DA9F7043A8D2D8A47C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:23.575{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2E9B-6227-1B08-000000003602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:23.575{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:23.575{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:23.575{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:23.575{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:23.575{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2E9B-6227-1B08-000000003602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:23.575{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2E9B-6227-1B08-000000003602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:23.576{C64CDE3E-2E9B-6227-1B08-000000003602}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:24.988{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=012C7F542B134B2FE6291847851617CD,SHA256=2EAABCB2EB3755B3C51D2AB7314E2B7662E351AE2634650022C003B668AE9673,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:21.770{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51109-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000035250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:21.770{C64CDE3E-1CF7-6227-2800-000000003602}2856C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51109-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 23542300x800000000000000035249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:24.761{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC08C56AA25F47E8885DBA12598A9884,SHA256=7A530B72B9351F243C47BC1213D41E8ED83E3A0534573CE46C5A361EC7194D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:25.988{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=640FF5541A691EB333A6FDF71471CD3A,SHA256=92387280ACF7379D02B437EFC842FE9756F1B292BC76A3CA7AD45972BE3B3637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:25.776{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC873F58AA813C4BDB33E0F16CD07AA,SHA256=06D6FE9E5D8BAD378512BE23020B1D11A7CCF7462A15E42C80217BD7D7174191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:26.988{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B92555C25880F0D3E945A088977869E,SHA256=3CA4DA139BFC97EB3620764B150AAD31FFF5B90381465693732872BBB17F7681,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:26.793{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2E9E-6227-1D08-000000003602}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:26.793{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2E9E-6227-1D08-000000003602}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:26.793{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:26.793{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:26.793{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2E9E-6227-1D08-000000003602}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:26.793{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:26.793{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:26.795{C64CDE3E-2E9E-6227-1D08-000000003602}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:26.777{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75EB394658B6925705C32CC0787DD2D1,SHA256=02EA43F117A7BC1AC79EFDC6A2EB3BE151B319EA8F82F44A9569B37204E9FD99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:26.445{C64CDE3E-2E9E-6227-1C08-000000003602}56322068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:26.176{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2E9E-6227-1C08-000000003602}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:26.176{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:26.176{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:26.176{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:26.176{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:26.176{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2E9E-6227-1C08-000000003602}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:26.176{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2E9E-6227-1C08-000000003602}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:26.177{C64CDE3E-2E9E-6227-1C08-000000003602}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:27.785{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8C0F3883EF839A643BBDB843951604,SHA256=AE0C634EC110EAD4AC78E2CAD6E038640828010C17C2012AF6EC7163F7F98F06,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:25.428{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50428-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000035280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:27.400{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2E9F-6227-1E08-000000003602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:27.400{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:27.400{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:27.400{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:27.400{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:27.400{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2E9F-6227-1E08-000000003602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:27.400{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2E9F-6227-1E08-000000003602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:27.401{C64CDE3E-2E9F-6227-1E08-000000003602}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:27.183{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0D9CF0416F2578F9887797B38131B56,SHA256=3A2A6FB1E4CA03FBA79F3163E733709F299B72D1E3A0AFC9D8AD5E7F8D12C403,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:27.099{C64CDE3E-2E9E-6227-1D08-000000003602}69247008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:28.785{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ECF82D96581CBF06BFC2F0F96478D3D,SHA256=8A412254E7795BFBDCBD5A23BBC52D29FD7E1C8123C1E050FA59E0C644CD6026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:28.003{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ADF87F5CF3BA35A69386FC0AADE0B6B,SHA256=4FF42954B36601FD3B46CD994C2E9218613970B8C92FF7ABB92E41C75904A35F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:28.417{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BEC177E63149E02EA79749EC13BB55A,SHA256=31CB18D737583AB439635E73D121F333538AF50F5A167F069C6808CFE266D35F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:23.608{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51110-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:29.800{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FACA7F1062233DD1F1547DE0A3ACA040,SHA256=08984530785A67CC624E5CDFA9DD00D7727AF21C9A9450F0E35DB91C4D4D7A6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:29.003{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DFC538D34FA58D5C3C62313B3F1481D,SHA256=096E2C526382328D97D68909E78DCD3DB5DDE273EFB0DA10CE6EF20DD52231C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:30.853{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220E42E3135CEAEBC61B052F1F2800FA,SHA256=74B198FE4B675917FEF8991E1F82E2640D70CDEA74DD8E2F77351B3A86AB015B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:30.003{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3C3C05DF2055CD19C46B5DC8EE16FA0,SHA256=FC302189352AE88C35A55439C7771F02F64482B508991B0C1930B7A401715BB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:31.868{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09DABF266FB2B06926986EB21A825F62,SHA256=783BEFB62F46E672434EE7E188865EEF1212B42A3A647A686E029FA849076A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:31.003{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC6864C443C1C5F63D4D9556E057C6E,SHA256=8953FE118E7B6774E4359006F698A93218608E46C4957D64944C6925E973B014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:32.874{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B20A706CA5E96876E79478B561B8506,SHA256=25EB8C6E070D7693E8DC82CFF7C86ED0B501147A1241E8821679A4BF7985FFF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:30.428{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50429-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:32.003{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACC8290F6489F98149161AC3941B0416,SHA256=B835555FD8606D774A384373B4593A6BB40B0C28D03B75FCC133BF2834E36D9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:28.697{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51111-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:33.889{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7476ECA69D584ECB7058B53E71632B61,SHA256=6CECEF1747EA0DB23E23D808A31802901CFB67DBEB52AB5ABCBB3BE7E6721336,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.707{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2EA5-6227-7405-000000003702}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.707{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.707{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.707{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.707{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.707{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.707{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.707{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.707{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.707{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.707{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2EA5-6227-7405-000000003702}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.707{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2EA5-6227-7405-000000003702}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.707{DCBFC465-2EA5-6227-7405-000000003702}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.566{DCBFC465-1FE0-6227-1200-000000003702}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=284DCD4F6C9238EF77C9BB8EF2A8984B,SHA256=68D7CDF6A77AA8D9499D460C0F6AB62981057B0B662F4058DF8B85C813946DAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.503{DCBFC465-2EA5-6227-7305-000000003702}1868964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.082{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2EA5-6227-7305-000000003702}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.082{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.082{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.082{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.082{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.082{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.082{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.082{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.082{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.082{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.082{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2EA5-6227-7305-000000003702}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.082{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2EA5-6227-7305-000000003702}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.082{DCBFC465-2EA5-6227-7305-000000003702}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:33.019{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39774717900497BEBE7627F8B8156B92,SHA256=3AD31DB347324898F87EA692B54991F4282083D4ACAE5340B71AC753C06669C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:34.919{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F3640DF618AC6599165BADDC3F6F09F,SHA256=C29BEC3AF64A2F687964E8C145A2660D136DFD00AF5AFCA4761EFCE5CE60AD6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:34.207{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92D836BBCBB34DA372CA28408C3B7040,SHA256=EF64C8572ADF75B6261391DB3B246FB46DACB63B6F3DD0FD16105D6D960130B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:34.207{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BCC08210C8339898D30D917EE3A94B3,SHA256=71F9A20BFD116B1705BAEB7B439FA2068AF71648C63A2C81C680E3CAEB2D2495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:34.207{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36CE957F7677E9628D69B2524DEFD90,SHA256=0FB28FAA43447BCE4B73A3505497DAB7850223BC0427CBC95D404B2ACB6BFCC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:35.936{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC12DABE876B58E3F74BCB65687C3A2,SHA256=4B642010BC043B54D7DBC79332BF7D4643D4B65F16EBE170106BCF6484928A31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.597{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2EA7-6227-7605-000000003702}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.597{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.597{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.597{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.597{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.597{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.597{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.597{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.597{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.597{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.597{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2EA7-6227-7605-000000003702}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.597{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2EA7-6227-7605-000000003702}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.599{DCBFC465-2EA7-6227-7605-000000003702}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.332{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD866A433D10D749BFC12290A5D826B8,SHA256=05221E1A52F1440D801FDC632B62DAE8394D8E8C65C19DDD531DFC0F92F513FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.316{DCBFC465-2EA7-6227-7505-000000003702}2700364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.100{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2EA7-6227-7505-000000003702}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.100{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.100{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.100{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.100{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.100{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.100{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.100{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.100{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.100{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.100{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2EA7-6227-7505-000000003702}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.100{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2EA7-6227-7505-000000003702}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.100{DCBFC465-2EA7-6227-7505-000000003702}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:36.955{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E108258FED67D518A0C6F550BD380CB,SHA256=94CDCBDD5E09598F2F34D7FB41142F20F3516B9156B2D433FB6D45E71D346C3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.925{DCBFC465-2EA8-6227-7805-000000003702}19642560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.597{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987BF9C716D3FC083D2C0F3810E124E8,SHA256=D0B04E1BE41A3C4607CF9F86722AB2017AB9ED09460C23B062916EDFDA90FD0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.597{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2EA8-6227-7805-000000003702}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.597{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.597{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.597{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.597{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.597{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.597{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.597{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.597{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.597{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.597{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2EA8-6227-7805-000000003702}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.597{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2EA8-6227-7805-000000003702}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.598{DCBFC465-2EA8-6227-7805-000000003702}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.410{DCBFC465-2EA8-6227-7705-000000003702}39761432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.129{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92D836BBCBB34DA372CA28408C3B7040,SHA256=EF64C8572ADF75B6261391DB3B246FB46DACB63B6F3DD0FD16105D6D960130B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.097{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2EA8-6227-7705-000000003702}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.097{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.097{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.097{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.097{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.097{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.097{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.097{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.097{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.097{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.097{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2EA8-6227-7705-000000003702}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.097{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2EA8-6227-7705-000000003702}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:36.098{DCBFC465-2EA8-6227-7705-000000003702}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:37.971{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D1BEEB4767EB12C522BCBBEFC1D4851,SHA256=3701CB03852578E5E0AA6DBBB769C5C1852E89F17F1DA291D19422D0C08753B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:35.490{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50430-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:37.613{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC122E5E634378F39A505DBB6C487372,SHA256=BFC7C3EC7FEF375658B75293768BD35FA06D45908EC731C0E4463C92931AFEDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:37.425{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA008A97FD4757539672B12AF53956D3,SHA256=DA93F8572177ED4EAA7C0243E704766A76C5B04C0F2FCA3B0600477F746E2056,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:37.634{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-1CE6-6227-1400-000000003602}1068C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:38.645{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA6DBD6790F852B5BAB95BACD81E398,SHA256=83AA69AA2BAC2E7A6629253285A90345D1FF9BDE9514A8F0264D48D98D581AED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:38.986{C64CDE3E-1CE6-6227-0D00-000000003602}8841404C:\Windows\system32\svchost.exe{C64CDE3E-1CE6-6227-1600-000000003602}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000035296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:34.680{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51112-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000018760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:38.207{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2EAA-6227-7905-000000003702}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:38.207{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:38.207{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:38.207{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:38.207{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:38.207{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:38.207{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:38.207{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:38.207{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:38.207{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:38.207{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2EAA-6227-7905-000000003702}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:38.207{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2EAA-6227-7905-000000003702}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:38.207{DCBFC465-2EAA-6227-7905-000000003702}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:39.878{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0942460C6E647CDBEBA0CC7F6535F9,SHA256=EC79BDB8D6802B2CC7EF44971EA36F6656D20B597E666D3BC900F590C2C64A1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:39.222{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7514ED9FDEA32A6FC6765439500A285B,SHA256=F78930EFD9106C65752983AE6BC184DB93E4C62F5C68E6F66D1E754D0FE157D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:36.205{C64CDE3E-1CE1-6227-0100-000000003602}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local51113-truefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local445microsoft-ds 354300x800000000000000035299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:36.205{C64CDE3E-1CE1-6227-0100-000000003602}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local51113-truefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local445microsoft-ds 23542300x800000000000000035298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:39.002{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1658294D4D9392848EDD69BDCF5F7A5,SHA256=10A0C7300F741D93EA6CE926B6C245BBB4BCBF2C15CF311CE4AE684D36C916BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:40.894{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7BC5A3D999ED321D18C7DF8BAFDAE0,SHA256=BE9E64D2799C057EFF6E701B2DF6A0A7899D9B8832975915939CAB31DF4E3789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:40.017{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8605403FB1469C77731608910C10986C,SHA256=759DC530CE0A45BF43F2FBADC4B7A929715505CA691341FB987BE9D775AAD33C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:41.910{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7EF7492FF2E93693E55D0809F7FC4B9,SHA256=397F7C727C037E3CA3B12CE2EFE4DCCDB17C7577FBCBA861918FC408208D8185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:41.943{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:41.943{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:41.943{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:41.938{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:41.937{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:41.937{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:41.937{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:41.073{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE3BC9FB131F8BFD0B870FE577852B1,SHA256=22F1CC74C7F41BF75C35F03C7A6FFF80B1025C4A1803D47DE2281166093F8700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:42.925{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=814A1CDE868B3C226FFC11AC51843F4B,SHA256=A53C947426D78A6633E7EBA02933B972F4ABA8FDAF0FC35377DF3C42A0BCE01E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:42.075{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A948EC03F14BFAE1C0CA85D82E1882E6,SHA256=855991943BCC9837AE93EE264A506B83649FDC44A995127B37A871096F6280FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:43.925{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22FFAB9F05CCB5B5A0D1965A89C1CD9,SHA256=FE820BBFF00CB6DAE3DD5833A4B0BA4D6EED5A3925DE903F3F957A291358BB10,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:41.365{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50431-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000035313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:43.489{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:43.489{C64CDE3E-1CE4-6227-0B00-000000003602}6125348C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:43.089{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5FC0908A63845EE11EC484CF298AD63,SHA256=A1F456A294D1B08CF762DD83CECD7B9E69931A2875A9E47E64C780F80967C98D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:44.269{DCBFC465-204C-6227-9900-000000003702}3048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:40.683{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51114-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:44.105{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8523963218D64789B1AA7E1D8A69D497,SHA256=0E3F67FF4A1E8C73A0E7A30B8DF129CF5DE07571AB7650FEFF4AFDEB5AAA1C85,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:43.506{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50432-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000018770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:45.050{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53CEF159F78850E960978B5DC495D585,SHA256=01A4BB00A74A265ED79ED639A64E74C5BDC8E2D28404DA7A5C4991EC09A9DF70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:45.790{C64CDE3E-1CE6-6227-0D00-000000003602}8841404C:\Windows\system32\svchost.exe{C64CDE3E-1CE6-6227-1600-000000003602}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000035318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:42.053{C64CDE3E-1CE6-6227-0D00-000000003602}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local51115-truefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local135epmap 354300x800000000000000035317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:42.053{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local51115-truefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local135epmap 23542300x800000000000000035316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:45.106{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1881E0E08A4C0DF4A18D75869EF57850,SHA256=58CBCB325B30FC575EC584206EAABD032AEB8828743B24CD990E9C70EA27977A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:46.067{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386824B984D912F508E983B66DD8121B,SHA256=94E614CE35C072288BB1C839D065063189BBB69C57174BBE676A2107E7C89BCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:46.121{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B9CE12D4F05A312C9798F9246D3778,SHA256=2DF9B844D2EED37ED576D380C0FE0AB0869115EA46BA751675DA58EE69C449E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:47.080{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E64CE05FF15DECFDF5E13CFDFAE80CD,SHA256=BB5C0439A5D1167D678699EAD3A260621B44FFE60C38D0E51FCEDA289E66F428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:47.122{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72D0689CC566B02442100D92E8DDC4C,SHA256=70808E7D91629104BA1F036A5DD7144188F4A55A6C54B152B9715E5F3AAC6D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:48.080{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB090D582A33BF809A3B4C6A2A5E8B26,SHA256=F36E93DD4936AD726E9355067297AC045D3EE4DCBF35443BEED881ED2A9295E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:45.720{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51116-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.126{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0BB38D660D3582F3A759AD50144602,SHA256=CA3723DC1B09BD5716D0EFC353B8A609DE0B1B88D991614FA1E4A1374AF7F3E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:49.315{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E5363711ECEAC7F9E2FB06B0B4FF8C6,SHA256=DA8E8FFB7C50815D0446FBA24A4B7F57A835F87B54DC770FF6851CE55D600693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:49.144{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C9141E7566458C1F17C72B4331FA5E,SHA256=9663A1EFA2633B9CC1E2E7C2BAEE6B9305D8D34B55B43E9CABCE1797F0BCA5F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:46.427{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50433-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:50.346{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B724A98D6B2E07900B29B583C3E0FA91,SHA256=FA611F0F8812A68BBADB582BE6EA45802BF0E91744309BD83E037606C11CA257,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.431{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local57333- 354300x800000000000000035361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.429{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local56914- 354300x800000000000000035360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.425{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local61032- 354300x800000000000000035359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.423{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local56440- 354300x800000000000000035358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.419{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local57260- 354300x800000000000000035357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.418{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local57811- 354300x800000000000000035356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.415{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local61250- 354300x800000000000000035355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.413{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local59833- 354300x800000000000000035354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.410{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local60884- 354300x800000000000000035353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.408{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local54355- 354300x800000000000000035352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.405{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local59666- 354300x800000000000000035351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.403{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local61023- 354300x800000000000000035350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.403{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local50997- 354300x800000000000000035349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.400{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local55409- 354300x800000000000000035348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.396{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local59891- 354300x800000000000000035347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.396{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53697- 354300x800000000000000035346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.394{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local54398- 354300x800000000000000035345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.393{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local57172- 354300x800000000000000035344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.392{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local53348- 354300x800000000000000035343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.391{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51577- 354300x800000000000000035342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.390{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local59979- 354300x800000000000000035341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.389{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local55675- 354300x800000000000000035340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.388{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local57245- 354300x800000000000000035339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.387{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local54593- 354300x800000000000000035338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.386{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51021- 354300x800000000000000035337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.385{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local50997- 354300x800000000000000035336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.384{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local65535- 354300x800000000000000035335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.383{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local53219- 354300x800000000000000035334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.383{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local53219-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local53domain 354300x800000000000000035333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.382{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local52266- 354300x800000000000000035332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.382{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local52266-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domain 354300x800000000000000035331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.370{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51118-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local49666- 354300x800000000000000035330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.370{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51118-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local49666- 23542300x800000000000000035329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:50.825{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A1878F6D091806875973228E2BC002E,SHA256=2DBBE75B1C96604D8AC8A2B001EC31990B8664222059FEDFD34999BE726ECB8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:50.825{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35766D36F0042236EC47C255FAB63074,SHA256=E507A5E55F2E62D7621C123C2077A9CBC8AE99822D789B03DD343E26AD68905F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:47.525{C64CDE3E-1CE6-6227-0D00-000000003602}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51117-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local135epmap 354300x800000000000000035326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:47.524{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51117-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local135epmap 23542300x800000000000000035325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:50.163{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C93E00F86FBF60BB824A784D0D1045FA,SHA256=F77C8487229986E51AB3A8F3A475DA52770AE5330D729E07D8D2625B76EE485F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:51.394{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CA9AF0E0052E4C65CE438037FDC1C76,SHA256=D2B5A05E940F3D2D524006452FA3CA90E1441BBC12E1C07F58335C6F6F8F9E54,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.446{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local60582- 354300x800000000000000035368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.443{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local61463- 354300x800000000000000035367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.442{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local55574- 354300x800000000000000035366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.438{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local54356- 354300x800000000000000035365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.437{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local60647- 354300x800000000000000035364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:48.435{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local53435- 23542300x800000000000000035363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:51.210{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFBBAB7A899E90A6EA809CBA7CB9578C,SHA256=04608F57F9F1FC76E10A4495A7D79C0D32D417266CB07824EFE5E3B1B5AD1423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:52.627{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D2359EAAC732AC6B0AC8262F29A1E6,SHA256=55FC2B9499170F2E028EBB9A575C07C2593B23B1CA1AC285458E36C57C326E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:52.963{C64CDE3E-1CE6-6227-1000-000000003602}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=30D8368933174B081F068E5C020F4D16,SHA256=FB7EF74BABE2C72DBF289EEEB2FB9374D577BC596EC75E9803598E893BBD23B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:52.226{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D252C7E1CA197054E79E9B5744E0352,SHA256=2CD1E31D7D978176EA8A60F3A0ED0422B4D7F54664511375CF6317932469C714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:53.737{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6678526ECC52574CC537B1A2BD9E4B78,SHA256=FE39D60BAEC7415C66AA4AF72EDCEFBB7152504C83595B26CEBA4511DB872FBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:50.802{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51119-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:53.248{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0954825515536113F53000268A88AD5F,SHA256=47217B1D4D86849A227E102F2BB19E679DED4D4D620B261F0E9BE0D3AF77C46C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:54.768{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40BD59533D3F8C3EA3A23FF054D09BF5,SHA256=0FD59B46F4475221CA2A7E22861A8B4206640876D57C5228D3F7637DEECD8731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:54.263{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96B3DE016E34BD09E9575EF9AC329D17,SHA256=FF05DA3017D69B6047EB11BBCC90F8676E239B70ABA9B5C53C7652AD62A53059,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:52.290{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50434-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:55.799{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9810CBA01FAC05BB07BFAB0279AB204,SHA256=D118F25CF5EC91F4329A443D096A33D9C4D37A5072795794E510C73ECD70B908,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000035380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:23:55.610{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6FC0DF5C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6FC0DF5C-0000-0000-0000-100000000000.XML 13241300x800000000000000035379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:23:55.594{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\DB477B57-8AB7-41B7-868E-2991B0EC5E6D\Config SourceDWORD (0x00000001) 13241300x800000000000000035378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:23:55.594{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\DB477B57-8AB7-41B7-868E-2991B0EC5E6D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_DB477B57-8AB7-41B7-868E-2991B0EC5E6D.XML 10341000x800000000000000035377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:55.594{C64CDE3E-1CE4-6227-0B00-000000003602}612820C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:55.594{C64CDE3E-1CE4-6227-0B00-000000003602}612820C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:55.263{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC47D2F2521BFE700AAFFC2957B21EB,SHA256=00A9051E62201DFB491136F5D23F84EAFEE3CBFD86BB71FD6C6D296DAA87DDEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:56.940{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4608EA08CD42FE7C9EE3CE42DBD751D2,SHA256=D99F9FB83ECC82AD1C4E64F1CD74142963522510F061B9D9278F46F89E027C22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:56.446{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:56.445{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:56.444{C64CDE3E-1CE4-6227-0B00-000000003602}6126296C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:56.278{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D4D07914E57711E4B0529D3E1450E9A,SHA256=E91B13F7D347B7008E4B251E9AA248201C81D15A3FA5A05C4B4AD24BA88AD494,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:55.000{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51120-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000035398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:55.000{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51120-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000035397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:54.180{C64CDE3E-1CE6-6227-1400-000000003602}1068C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:5a00:466c:c8c0:382c:81c8:ffff-60745-truee000:fc:ff89:eaba:1d47:906f:b073:4e41-5355llmnr 354300x800000000000000035396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:54.180{C64CDE3E-1CE6-6227-1400-000000003602}1068C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local60745-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000035395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:54.178{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local57744- 354300x800000000000000035394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:54.175{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local63299-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x800000000000000035393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:54.174{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local62130- 354300x800000000000000035392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:54.174{C64CDE3E-1CE6-6227-1400-000000003602}1068C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local62130-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domain 23542300x800000000000000035391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:57.462{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8E329931A315AC13BCC1F41B4E7F567,SHA256=F20539C571DCE4DE56D89C1EA42046B283416422723B5F3036551BB77BF3580E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:57.462{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A1878F6D091806875973228E2BC002E,SHA256=2DBBE75B1C96604D8AC8A2B001EC31990B8664222059FEDFD34999BE726ECB8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:57.293{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=091B2A558ED9765D8EE256EEA299B0AE,SHA256=F551A362CF2FADA2AD603FFAB4D966198D9C7B0AEEE6AE9825ECD17C1741D80D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:57.278{C64CDE3E-1CE4-6227-0B00-000000003602}612820C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:57.278{C64CDE3E-1CE4-6227-0B00-000000003602}612820C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:57.278{C64CDE3E-1CE4-6227-0B00-000000003602}612820C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:57.025{C64CDE3E-1CF7-6227-2B00-000000003602}2896NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:55.838{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51122-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000035402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:55.838{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51122-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000035401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:55.569{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51121-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000035400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:58.293{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59A6F1074AB4F3AD510BA8701290E138,SHA256=B3A47358AAC3316D43E45CCF92CA5D66C2D6D5CBB2FD4772E235B4CB05B69C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:58.080{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F638ED991DD55D382C72FFF0854184B2,SHA256=3ADB74B1846A6AEFD57C386278E47374667963785B8A99CA6630F8497AE598F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:59.112{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6DD225A41B5B711CFD106AB70241CB7,SHA256=5DBA53926AFA29154511C6A16FCF8DC2A7E99951173543E17BBA7949C5B9DA20,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:56.803{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51123-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000035407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:59.424{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:59.424{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:59.424{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:23:59.309{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F1BF31F8682674C5CAE3D682C13E52,SHA256=E5B83F7BF14763CEE72B9B81F13D13568ADB488E41568882914C279829C137A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:23:57.443{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50435-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:00.143{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E46A873BCE4E5683598D4F1637CDD6,SHA256=47B32F5C75A431127A2918A0626A62DA2A8B48EEFF0FEA09AD7CD6D84C4994AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:00.343{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D502CEA832611C4795BD9D6CA9D89F5,SHA256=97697C98E65DC80E92862BF6182BBB0EBC1C1795D5914579EE7892C061B6CEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:01.377{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63BCACA72842D6524CB6BE0E9BF0144E,SHA256=0CFC728A3DB576FF7826966E02D124D3B10D5C49D2327C006929CD1F8C2CEF80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:01.158{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC0E0C56E8AC2F914852241DB8C7B4E,SHA256=A42A77F65533611B85123BE100F5158AC24355E7CA2CE1D868EB972A0B6B79A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:02.378{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246D7CE6D40EB07E4F0C45079BE72E28,SHA256=E4CBB63D9F95876D07F5604327B0E17A9A3D5955A151415B282B08F5F78C0B21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:02.190{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDFA5BE0BE96C00138F13272451AAB2F,SHA256=C12918C50862E65282A10743D5FD0256ECB3ADD7E2F9142EB26D13C96E264477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:03.427{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\respondent-20220308090810-073MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:03.393{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB93BBB9F2ADF4917E7635F82CB67E80,SHA256=33175A77252139978E2DAB49FF8AF51789BB5D750882024E429F91B6A8060B31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:03.283{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AF0261F1FF95C83F54B3FE46BD0BECE,SHA256=C023996D97863A57170FF583A71BC343B6B207E90C27DAC7FD82BA7DAF1DC3F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:04.299{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EEC8B68E295EB63FB4B6C35D3B959E0,SHA256=8C1AB10AB25E06B5FB542A4F0B8076494C4A66EB8E5A76FAF6C3D6D5FF5C1DDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:04.442{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\surveyor-20220308090808-074MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:04.409{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C8452200D8571A280EBA8B660A730A9,SHA256=23CCC796F6D5481D0B9F81FF90F762D64C799EB3E7E05E1B9436D26EC70264C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:03.303{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50436-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:05.315{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B247752C1F5D0C95F76CB31C6F118208,SHA256=54BE029DF476A39AC72BD8E037492B21156DDFB946B9EA7AFFB4190D3769D1D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:05.424{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C39978E878E6A0AEF838E00D08DD441,SHA256=D9D0436C4A72874B94C3FA6B7FA5AE61F57C172FDD9D23DC89FCBE94506A8402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:06.362{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73F5E517E3E4D7C976F685068F866B9,SHA256=72A71564A847DFC091317269FFB5B203C7FC9F7ECF711AE3C1A87382C51A9478,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:02.700{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51124-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:06.461{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B9CD5EE7A250520FED564D5F505D634,SHA256=3218E8DBE6A3D30645C4BD84BB492A9D453C74064ECF2DAF0B60923479DB7E2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:07.410{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6778E596C2930C5853B888B316FC2BEC,SHA256=A610DE492068549DD2EA5CDE1E20ECD5BF0EA666FE8E606D130DF64268A9B4D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:07.492{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF0617D99F5E7AE55CB51794F1E029A,SHA256=7EBCCC1DE4B897692C9B2A48DC8053ACCE82D6E348138C5E9ACA9437E58B2827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:08.425{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F120D0668B408A8B3B56E8562E74539,SHA256=DA8EAAE7932B463507B99C48A7D854D6B318D14A3DA2CB78C48F1BF824E93ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:08.506{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243F1902B67495AEA930123710755183,SHA256=071BE1F32C69C581AD2BD97CB0F2D0DE72A948CB43017E5EF729A939D48FC11B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:09.472{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=781687B3625887E7F4DEF5294446A2FE,SHA256=2A881C4B888C35C4CF3C74CA55CF2E4F24BEDEFCA7742C648C5A204A6FE93452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:09.540{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B282A335269C9204F5C400638C04EB,SHA256=2B83A659C4AEEA3EEE4C527CE54986CD4C99C3934046858270459F8ABDA3BFC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:10.743{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\respondent-20220308092036-061MD5=AD989BA5FC8211C68DEB145594DF29B5,SHA256=A92C9E9F939B5FA1DAF2D9D45D4066E44A16133766F98754DF452EC8E38921ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:08.444{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50437-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:10.600{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFD49EB536D437855A25C18A7863BCF7,SHA256=6787FD955DF9B9496F71CB6B3AAAE68ADCAFE75F0C05C530F38C7DEB2D4BBDF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:10.557{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C24A4157447A7969682F06B659D205,SHA256=B0DB2245AA9735CD8369ADB82451926E28E98795A85B7ADC9358C7F509003799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:11.743{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\surveyor-20220308092033-062MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:11.710{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439B73147B0BAF5DCA3FFE1898705193,SHA256=84BFC275C2756C994B82E327E893F626CB67BFB9D398095AC67E61F4826D49EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:08.648{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51125-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:11.572{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D69C324FBD1068F554C6454B8D43B4,SHA256=29ADA35C6842F52EB810E20A6226FC279284FE99042A4422E41C2094AEDAAC03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:11.504{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:11.504{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:11.504{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:12.711{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E6691A52A8B2645E58B44D693A2F11,SHA256=921302E3918CE592BE3CC1591831A93E0C43299C089F316EA19D87934DABDA9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:12.573{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10CB604153F217E14780EE301828E95B,SHA256=65C33FB21F069D2089814EF5ED115069844685099614D8C735A43480EAFA25B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:13.711{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B520E49E9D8699B29853C672E251984,SHA256=3CFD867838B0167AF452FA307EB5C6CE3DF66758874E1A04FECD7D58EC7424E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:13.588{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC7D32EC7B2BF37C53849F32CE54275,SHA256=6452B556DA408D964540E8237E06858C988D2AC443144D1F8C8CA880B5BF0F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:14.727{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8524DD17D0144294C2B7396A4EC6CF9,SHA256=D9EC6EFD0239DCE1A5F429D7374EBC9F33E3D8EC480EAE9FCF4829A1169DAB69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:14.619{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=834FF3587F602AC217F0D23AE72080D2,SHA256=79752A2299EF2B32B203E516553EC7B3F8702420329C0004FF0FD9C9F3AC8463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:15.836{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3111F789F7EDC4190DB998C5578A97,SHA256=E3933FD8C186223056C06C9A6F4618A7F33E7CC6C4682507693736F7B7649FA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:15.940{C64CDE3E-2013-6227-1602-000000003602}17405360C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801508D8FD8)|UNKNOWN(FFFFF994344A5B68)|UNKNOWN(FFFFF994344A5CE7)|UNKNOWN(FFFFF994344A0371)|UNKNOWN(FFFFF994344A1D3A)|UNKNOWN(FFFFF9943449FFF6)|UNKNOWN(FFFFF801505F0503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000035433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:15.940{C64CDE3E-2013-6227-1602-000000003602}17405360C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801508D8FD8)|UNKNOWN(FFFFF994344A5B68)|UNKNOWN(FFFFF994344A5CE7)|UNKNOWN(FFFFF994344A0371)|UNKNOWN(FFFFF994344A1D3A)|UNKNOWN(FFFFF9943449FFF6)|UNKNOWN(FFFFF801505F0503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:15.940{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF460a8a.TMPMD5=847FF2A64311A111F9C46697989BEF76,SHA256=E334D2C69DEDC04CD4D70803894D1FCB59BA771169046B5DEDA16196007ACB6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:15.636{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B96F1B68A34B84EF124265C6FFAC1FF,SHA256=1767392B1C26E6432A2558F5FF1ED7D65167C9479B934770058696069F04D672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:16.852{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FBA36FFFE11D484FE2725311FCD8461,SHA256=8FBC9D3B6C9844348A04A588DF3BF570EB95D66FFDF60E6F1C26A91E71F9F038,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:16.933{C64CDE3E-1CE6-6227-0D00-000000003602}8841404C:\Windows\system32\svchost.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000035437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:13.722{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51542- 354300x800000000000000035436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:13.718{C64CDE3E-1CF7-6227-2E00-000000003602}3060C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local55008- 23542300x800000000000000035435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:16.655{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB6578822C0B28D40310AEA0D3FC206,SHA256=507F225CE8A293044EDEC244496B2812E8170CAE633BB6DDCEC78BA838630F83,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:14.324{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50438-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000035448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:14.645{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51127-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000035447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:13.725{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51126-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 10341000x800000000000000035446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:17.801{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:17.801{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:17.801{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:17.801{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:17.801{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:17.801{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:17.801{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:17.670{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0AA7999160AC4BCBBB2C652DB52B2C,SHA256=6AB3C198AC5654CC92E9415CB385E769097FE3A5091FFED7F4C437781257375B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:18.685{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D9D0C53F481283C2A808D81B105572,SHA256=90438D763FEAE94198DBE8F8044CF20172101D91270E546C15661A81451A7D9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:18.071{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07C981C3C578D73B7488478552800B8,SHA256=C1BFC5649C6F9B7E6799E24B60DCABBEDD800CE2F7B3F91BE3096D8F407B6825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:19.274{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A5BD3ABAA32895E070DCA320B17B05,SHA256=2D41A5A4F1AA8B4B79F0B4C7B1E1CA616B03943F0E0BD326FA65081AE0DF8A9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:19.700{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=387193D01CC9507FDF7D6868B8A947E2,SHA256=26C2097EFAB8F32C577BBF3FE1D4F91B2D5CC1FB8A90C2BBB2858EBF87957199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:20.336{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6D851E179FF31CE818FC0E4D3EC210F,SHA256=50C7DB9507162EB38061579EDB8D42B9DA65A6FA39F4030A02865631563A53CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:20.715{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5436D03B0F338B015F77C98570304A8,SHA256=96FF38BD293800D6C8CCB9EDA1D1A1E74B4577A1238DA619B3B22FD3B9039379,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:20.415{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2ED4-6227-1F08-000000003602}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:20.415{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:20.415{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:20.415{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:20.415{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:20.415{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2ED4-6227-1F08-000000003602}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:20.415{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2ED4-6227-1F08-000000003602}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:20.416{C64CDE3E-2ED4-6227-1F08-000000003602}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:20.184{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qh3soqs3.default-release\cache2\doomed\25753MD5=5E356CD243DBEC15F7B368E1DA6CDA04,SHA256=FE7D884545548D5C3BE21600E0AD48CB1153AC7BE2899202998F84E2C1C2AC5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:21.720{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB9E06539E892E08A6526A8A255911D4,SHA256=D0E5927330DD416C009E1819FE84703C5E0B9BCB748B6DB97E1FBC7CB005B1AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:21.336{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9195CA6F0DD398099D16DFFDB5DCA16,SHA256=E25E8424397D55EA44E920A747404D3C431A4593B55368818A490A14AA0B3669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:21.420{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAF32488AB6F10598460253A49FC1C78,SHA256=A6E1C0FCBFB401282DD0DEF817C0B8911198EE6D445F5A83C4A483736A55D127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:21.420{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8E329931A315AC13BCC1F41B4E7F567,SHA256=F20539C571DCE4DE56D89C1EA42046B283416422723B5F3036551BB77BF3580E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:21.239{C64CDE3E-2ED5-6227-2008-000000003602}6284804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:21.017{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2ED5-6227-2008-000000003602}628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:21.017{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:21.017{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:21.017{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:21.017{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:21.017{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2ED5-6227-2008-000000003602}628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:21.017{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2ED5-6227-2008-000000003602}628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:21.018{C64CDE3E-2ED5-6227-2008-000000003602}628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:22.739{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E27876E0510A843F48BD780F56E5D9E,SHA256=D210558BC17D02ADFF18FE04957B8CD8045E8272BE64B1CCB3E189C52142AA39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:22.336{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B02FF68107CE9908DCD8366D1CA9C50B,SHA256=E7564F0DB3CC1732DE7111245BE09D9E8A7B615C97C93FAB2FA13F40D4F507B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:22.672{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2ED6-6227-2108-000000003602}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:22.672{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:22.672{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:22.672{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:22.672{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:22.672{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2ED6-6227-2108-000000003602}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:22.672{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2ED6-6227-2108-000000003602}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:22.673{C64CDE3E-2ED6-6227-2108-000000003602}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000018814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:19.402{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50439-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000035494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:23.803{C64CDE3E-2ED7-6227-2208-000000003602}70604384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:23.756{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81CC49EFA8A8B7A74E5F7C1ACCA85963,SHA256=DB24989964937ABDFA68321E1A4F63D47EFA18D9A0857CB8FBB9914078683D78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:23.756{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775FFE8E9424F2A9AE56D3684AC01F34,SHA256=A10820E411EDA08DEED0EF9CE1FF09A0A78EE647A8D892D1E307F603F5F72323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:23.336{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D50EDE001D1D4237933EF79D6F0B54,SHA256=6333AE18FB24D782D9F2ADCEB9B84684FBFB97934F6FAC02261CFB37A51D7B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:23.687{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAF32488AB6F10598460253A49FC1C78,SHA256=A6E1C0FCBFB401282DD0DEF817C0B8911198EE6D445F5A83C4A483736A55D127,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:23.603{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2ED7-6227-2208-000000003602}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:23.603{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:23.603{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:23.603{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:23.603{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:23.603{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2ED7-6227-2208-000000003602}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:23.603{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2ED7-6227-2208-000000003602}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:23.604{C64CDE3E-2ED7-6227-2208-000000003602}7060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:19.746{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51128-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:24.771{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5EC672D7044484C9D83A789762A6372,SHA256=F1CD0FA31241D6E2108C652286E57346C001222B2949E81EEA6E22C07A6015B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:24.352{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23025B37A308771832425C5646F877B2,SHA256=49A36B9AE204E9132807C427DA3A22B617ECCD74C1573F1614B3A4756C0B7689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:25.786{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7E83096431E65B890D8D90F7F125705,SHA256=26FA23F638DAD5B3FCF80CD0F22A23EAFF131E75D4B242C49244A892F39E6A1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:25.368{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=980C1C7A9364A0B25DA4CB08F648AAED,SHA256=BAC11461BB491943F8995648844427C857A9F738AFE7D9D2E54FE1EFF5470E0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:21.777{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51129-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000035496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:21.777{C64CDE3E-1CF7-6227-2800-000000003602}2856C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51129-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 10341000x800000000000000035517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:26.950{C64CDE3E-2EDA-6227-2408-000000003602}56963208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:26.786{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFFEF12B4F92BF4A1AE6D3DC31AA6908,SHA256=6552529A9B053CCB78706AC62E858F1B814292CD179F0992C5282BB775C69F6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:26.383{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B1F31B5BE033BE889108243808F875,SHA256=248E177FEDFA3545DF97ED07630D0C6983A5BC8EDB298C36D9F31CD7E5F18C56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:26.686{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2EDA-6227-2408-000000003602}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:26.686{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:26.686{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:26.686{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:26.686{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:26.686{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2EDA-6227-2408-000000003602}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:26.686{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2EDA-6227-2408-000000003602}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:26.687{C64CDE3E-2EDA-6227-2408-000000003602}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:26.236{C64CDE3E-2EDA-6227-2308-000000003602}41886656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:26.017{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2EDA-6227-2308-000000003602}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:26.017{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:26.017{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:26.017{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:26.017{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2EDA-6227-2308-000000003602}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:26.017{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:26.017{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2EDA-6227-2308-000000003602}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:26.018{C64CDE3E-2EDA-6227-2308-000000003602}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:27.796{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=117B0A1B31FFA0ABD8A1BA8E77D33138,SHA256=8468D2D1AFB8D0CD13AD408C1D3A418BB2CFDA0AF8E48C9F104DA5FF6776F5B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:27.398{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367C0010E794EEC97ECDE0A541683BC3,SHA256=4072F2866011A202104BFD9029533BC50B9A86A611882BBB732FAB03F9EC5DB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:27.380{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2EDB-6227-2508-000000003602}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:27.380{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:27.380{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:27.380{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:27.380{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:27.380{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2EDB-6227-2508-000000003602}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:27.380{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2EDB-6227-2508-000000003602}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:27.381{C64CDE3E-2EDB-6227-2508-000000003602}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:27.343{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:27.343{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=2523353D841F2A1D0A806D5B82BE7DE3,SHA256=A52A4713F3450BF80BF82D479C4E785DB0CFBB9FEDD0B75371D35AEE72A1DC88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:27.030{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A60F72EC9D00AEDF744654D7106D1ADF,SHA256=65AC9B08038EC1FAE0258AF6010A62728C3FF7A0F25B006489BF3429349B87E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:24.497{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50440-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:28.796{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D0A238B7A7A80A4D930CDB29EFC04B3,SHA256=5D00E6D013D18F3C17286C6094758FBF95F154D44D805AF22E2AA89E7CD4F263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:28.429{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA8D1398813CA59C43A37F2D765D3065,SHA256=83B2B4DD82E99C16E5E5024CFEF135DD2090D55DE115C567F255D2A6CDCFA437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:28.395{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A5C2D84B9DB4C96A5922931BCAB5CA9,SHA256=2857E23167C7E811F4D5EA2E2FA5AE122B2EB25F0FDB06457961B12911021C07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:29.811{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A172B2FAE4700DAF38405449CFF4D6AF,SHA256=2A135E379204EAF4B03F6D474583400DD51C8EF64E67D5F19F8CD9F87711E584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:29.445{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFB6190486FBEAD12AF1653AE4B21B91,SHA256=76A45C4A3D906682FF45CFF1964C9BA5D1A6E990AB32A316FF9E708B424D554B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:30.826{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F444B5B6AB7A2FB4125AD86FAD163E,SHA256=278370B362527955E59AE949E807AC4621EAEB48180CC203789DDC06CD874CD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:30.445{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A2491508DD2AE2BA7070C2680D48FC6,SHA256=37FBF20F0156F205A4E969E99225335FE2BAFC792335E6BBCADFFCF1E0A7AF23,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:25.739{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51130-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:31.862{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB686ED731784B5014560C345564103,SHA256=56D92EE55C676490B4C8D55FD28677FF3A9848EA1CA61D244798A8DAED1C3A3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:31.523{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B9ED1B702043769564A7A9D43C2E1CA,SHA256=68387EEAE5B3A4BDF7B591B8D8C8146A583FF1574343D7252C0BE9C40491DA8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:32.896{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81F45B7B00CE70BC34C30CF24F13010,SHA256=CA0A25C0F101A8154DDEB0EA6437839A20E45FA70C5947C6FE47914608A23B70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:32.538{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C33ED3A935C29210BF061ACE7CF6103,SHA256=09D00AAF003759CB556258EF2C1D64F0A6BF35A8CA06B12518925552E9E0A6D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:29.510{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50441-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:33.896{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A1DAF2E7609C5F0E809B06B50E27DB,SHA256=1CA11E0478150BF2E4A747D2755230ED767B6BED05D456D11B1299E4DB8FDD69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.992{DCBFC465-2EE1-6227-7B05-000000003702}32963264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.757{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2EE1-6227-7B05-000000003702}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.757{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.757{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.757{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.757{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.757{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.757{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.757{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.757{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.757{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.757{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2EE1-6227-7B05-000000003702}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.757{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2EE1-6227-7B05-000000003702}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.758{DCBFC465-2EE1-6227-7B05-000000003702}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.570{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7236E4690648CE67225308BF76606A0B,SHA256=97989D2BDF3108320F7C26CF7B2C3D97930354AF37A11035015EF703F466F0AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.570{DCBFC465-1FE0-6227-1200-000000003702}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F55EFFCC48F8FD2DD584837F89BCF9E0,SHA256=2CA773F00B09204564F79454EA46ABDF1105AFD9CA222717F96E5719F6754871,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:33.011{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:33.011{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:33.011{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:32.996{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:32.996{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:32.996{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:32.996{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.085{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2EE1-6227-7A05-000000003702}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.085{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2EE1-6227-7A05-000000003702}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.085{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2EE1-6227-7A05-000000003702}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:33.086{DCBFC465-2EE1-6227-7A05-000000003702}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:34.679{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF06E571DF7DF01612C85977020523B2,SHA256=04818B406799F8587368527057E57965332C6D6DDBD5532116E01D65A6755507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:34.911{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F528253E8E61CAFC2952DE05C67B55,SHA256=ABE3E56B42D8587DEF8D209EA19DA038988D43904E2A06B21A611C09B0EA40C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:34.180{C64CDE3E-1CE6-6227-0D00-000000003602}8841404C:\Windows\system32\svchost.exe{C64CDE3E-1CE6-6227-0C00-000000003602}824C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:34.180{C64CDE3E-1CE6-6227-0D00-000000003602}8841404C:\Windows\system32\svchost.exe{C64CDE3E-2D79-6227-C407-000000003602}4760C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:34.180{C64CDE3E-1CE6-6227-0D00-000000003602}8841404C:\Windows\system32\svchost.exe{C64CDE3E-2D79-6227-C407-000000003602}4760C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:34.101{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E8725E39C4D767E8E9945F771C6E458,SHA256=D538CB26928C9B1926EFAF61F6833DFE8961ECB8259CC67E21D57DADF4EED936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:34.101{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EAB62533462E1D2DFC20B5003F0A5B4,SHA256=C5B058F8894F6577EF3494564B84461E36484FF6F516BE0BFA40DE1FD4378C11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:35.710{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EC5998082975E0314D5D7CFC537BE5,SHA256=B5A551176E49D259F9E46406D10E6C47CD62A08895162ECFB1A79F8339B5CAC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:35.926{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089ADACBC2EE66E03AFB292193F00DD4,SHA256=65BE6BEA8B8A084B9986CEB0E5004AE36857603FF5C9FED2F9EB7E854603081D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:35.117{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2EE3-6227-7C05-000000003702}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:35.117{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:35.117{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:35.117{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:35.117{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:35.117{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:35.117{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:35.117{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:35.117{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:35.117{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:35.117{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2EE3-6227-7C05-000000003702}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:35.117{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2EE3-6227-7C05-000000003702}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:35.117{DCBFC465-2EE3-6227-7C05-000000003702}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:31.770{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51131-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.851{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CCFD3AE82B1AE783B24FD87894C915B,SHA256=452AC39BE0B37B7D220E4115273E617AF3001709C0AB0EBE9A56E381C375CD53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009335C61BDBDF009B373F956C0BCF28,SHA256=A463C4D6F5062CCEC1988AE63E3E73F93F502E13AB057029DF14CCB2DB1C65C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2D00-000000003602}3052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.926{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2D00-000000003602}3052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.710{DCBFC465-2EE4-6227-7E05-000000003702}3056732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.507{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2EE4-6227-7E05-000000003702}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.507{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.507{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.507{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.507{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.507{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.507{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.507{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.507{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.507{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.507{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2EE4-6227-7E05-000000003702}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.507{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2EE4-6227-7E05-000000003702}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.508{DCBFC465-2EE4-6227-7E05-000000003702}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.259{DCBFC465-2EE4-6227-7D05-000000003702}2748980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.148{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E8725E39C4D767E8E9945F771C6E458,SHA256=D538CB26928C9B1926EFAF61F6833DFE8961ECB8259CC67E21D57DADF4EED936,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.007{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2EE4-6227-7D05-000000003702}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.007{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2EE4-6227-7D05-000000003702}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.007{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.007{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.007{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.007{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.007{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.007{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.007{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.007{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.007{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.007{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2EE4-6227-7D05-000000003702}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:36.009{DCBFC465-2EE4-6227-7D05-000000003702}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.725{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.725{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:36.725{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:37.882{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0189D7C0AE3D065DDB0044FCE60BA925,SHA256=F0A583148FE34BA91EF0CA2E67F0598C7342E8FC92E13D794CF892D9EF2A5D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:37.523{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0740DA0B975881AFBAE5FB735D59CDF7,SHA256=338A8AA92BFFF9906850362AC09D49C2F07A1304C9C495E803D2F1406EBB3A66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:37.429{DCBFC465-2EE5-6227-7F05-000000003702}29881104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:37.179{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2EE5-6227-7F05-000000003702}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:37.179{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:37.179{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:37.179{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:37.179{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:37.179{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:37.179{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:37.179{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:37.179{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:37.179{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:37.179{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2EE5-6227-7F05-000000003702}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:37.179{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2EE5-6227-7F05-000000003702}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:37.180{DCBFC465-2EE5-6227-7F05-000000003702}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000018933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:35.417{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50442-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000018932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:38.210{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2EE6-6227-8005-000000003702}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:38.210{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:38.210{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:38.210{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:38.210{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:38.210{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:38.210{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:38.210{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:38.210{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:38.210{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:38.210{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2EE6-6227-8005-000000003702}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:38.210{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2EE6-6227-8005-000000003702}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:38.211{DCBFC465-2EE6-6227-8005-000000003702}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:38.210{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BF168C5765B16273FCEBCE0F7DF0EE2,SHA256=36C4AB69F77CF6AE836C66557C667BF3B7CDF960ABCECFAC048D5BAF4FD541E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:39.288{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEDFA04E519607E5677185861B9BAFD2,SHA256=B50A77C25E08899EE75EAAC1C58DC1A6072189E4ADA6CF87C531BC0622549310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:39.007{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=565817AC53AF9EB60F16AE96B46AE7F9,SHA256=525DA0EFDCD2F903A17CCDE7F7026007BE939C31B2F1BFD02B3E58D14E2D77AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:39.225{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A7E9F8F0981650C5B004C370E94CE4,SHA256=DE13D26F4A4FA00E23618EAE13ACB4238E039EFD69BF83D5D9DEEADA0C0F5961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:40.260{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A93BF8537310232C26F8161E7C68AB2,SHA256=F9806CB8407BE632DE990E622777F67DEE5080534D20C2F24714C8669784ECC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:40.023{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E52F649AD1030BE5461A6A9101147A,SHA256=BAB240059B39BD02595E3F8FA693B35D940D76F2D1566261BB8B4C1A64E60FE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:37.613{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51132-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000035604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:41.363{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:41.363{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:41.363{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:41.361{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:41.360{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:41.360{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:41.360{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:41.278{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E1456F788A9B0B344BBD78B71E9A5BC,SHA256=F821C278A7A6DBD63D00E508285147A979E27E9DC9EFBAFE55ACC4FB4E8B8DB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:41.023{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A14A6DF5791D659A51EA68EF73A9DF,SHA256=8B49FD574108DEA5CD69FCC7A14F102096A376EC55AEEB9F379F8DDE66FD87A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:42.054{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A49C314BE10D0E7492912D930744B46E,SHA256=E933FFAB731FE3A8C0A36F4930224C7C9E72CB82BA60000B6327A4668D34DB4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.980{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.980{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.980{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.980{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.980{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2EEA-6227-2A08-000000003602}700C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.980{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEA-6227-2A08-000000003602}700C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.990{C64CDE3E-2EEA-6227-2A08-000000003602}700C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.963{C64CDE3E-1CF7-6227-2C00-000000003602}30283024C:\Windows\sysmon64.exe{C64CDE3E-2EEA-6227-2908-000000003602}6740C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+167a2|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+17c8e|C:\Windows\sysmon64.exe+11484|C:\Windows\sysmon64.exe+b0591|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.963{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEA-6227-2908-000000003602}6740C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.963{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.963{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.963{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.963{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.963{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2EEA-6227-2908-000000003602}6740C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.963{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEA-6227-2908-000000003602}6740C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.965{C64CDE3E-2EEA-6227-2908-000000003602}6740C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.941{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEA-6227-2808-000000003602}6784C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.941{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.941{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.941{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.941{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.941{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2EEA-6227-2808-000000003602}6784C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.941{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEA-6227-2808-000000003602}6784C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.940{C64CDE3E-2EEA-6227-2808-000000003602}6784C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.909{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEA-6227-2708-000000003602}1184C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.909{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.909{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.909{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.909{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.909{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2EEA-6227-2708-000000003602}1184C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.909{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEA-6227-2708-000000003602}1184C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.919{C64CDE3E-2EEA-6227-2708-000000003602}1184C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.894{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEA-6227-2608-000000003602}7068C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.894{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.894{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.894{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.894{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.894{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2EEA-6227-2608-000000003602}7068C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.894{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEA-6227-2608-000000003602}7068C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.906{C64CDE3E-2EEA-6227-2608-000000003602}7068C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000035605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.294{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61FCA2D14D25AC56FF6326C7DA0AF674,SHA256=94BD015558DDB4C37B92237A7EFCE5855FA8597884ADB6D0939521A8869C8742,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:40.495{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50443-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:43.258{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF552158C35FC6F5BADA93445A470F7C,SHA256=D9C49A7D0254AD6B38F33F4C17608C394FA282DCB99ED8D08DCAB255275086FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.971{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEB-6227-2F08-000000003602}5672C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.966{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.949{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2EEB-6227-2F08-000000003602}5672C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.966{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.965{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.965{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.949{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEB-6227-2F08-000000003602}5672C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.964{C64CDE3E-2EEB-6227-2F08-000000003602}5672C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000035682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.903{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AA83783336BB4AD8B2B443681AA786C,SHA256=8BB090180859EEB9FED086CC00E9FCA5975BEABA114BE29132947DFF0C2A602D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.903{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B1143FF913349EC519817AA63048BB0,SHA256=BDB809A7DD67A26B986C4719332899B19979C7F66CEE2A8B8D0891C7E75E5AA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.815{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEB-6227-2E08-000000003602}6336C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.783{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.783{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.783{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.783{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.783{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2EEB-6227-2E08-000000003602}6336C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.783{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEB-6227-2E08-000000003602}6336C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.797{C64CDE3E-2EEB-6227-2E08-000000003602}6336C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000035672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.299{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD0DE2D6CBAFA30DF7EFA9F56F08389,SHA256=7252B26D690D17D329FED388043E90E6F97FEBD254BA66162B98B29E9A3A2AFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.109{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6AB4A17E0F2EEA1061F815FBA052C14,SHA256=AFE41F5FED2233F9B6814310F5BFBC2AC510BC2456B718A62E4EC18FBB1BFF89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.094{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEB-6227-2D08-000000003602}4496C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.094{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.094{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.094{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.094{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.094{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2EEB-6227-2D08-000000003602}4496C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.094{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEB-6227-2D08-000000003602}4496C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.100{C64CDE3E-2EEB-6227-2D08-000000003602}4496C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.063{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEB-6227-2C08-000000003602}2164C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.063{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.063{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.063{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.063{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.063{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2EEB-6227-2C08-000000003602}2164C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.063{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEB-6227-2C08-000000003602}2164C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.069{C64CDE3E-2EEB-6227-2C08-000000003602}2164C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.026{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEB-6227-2B08-000000003602}5692C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.010{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.010{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.010{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.010{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.010{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2EEB-6227-2B08-000000003602}5692C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.995{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEB-6227-2B08-000000003602}5692C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:43.008{C64CDE3E-2EEB-6227-2B08-000000003602}5692C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.995{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEA-6227-2A08-000000003602}700C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:44.367{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7051A60D3D545A88FA02CC28DF9E01,SHA256=8781354138C574386179F8286AEB704415601B4D8E9F1F2DDDFA8A8C379607F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.950{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AA83783336BB4AD8B2B443681AA786C,SHA256=8BB090180859EEB9FED086CC00E9FCA5975BEABA114BE29132947DFF0C2A602D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.303{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E18046C62FE71230CB0D55E8B58E798F,SHA256=A72E38711840317A4BCD92A36DEDCB3B7C5A1489B19B654F61DB015513251D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:44.288{DCBFC465-204C-6227-9900-000000003702}3048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.249{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEC-6227-3508-000000003602}5464C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.218{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.218{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.218{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.218{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.218{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2EEC-6227-3508-000000003602}5464C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.218{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEC-6227-3508-000000003602}5464C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.229{C64CDE3E-2EEC-6227-3508-000000003602}5464C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v shutdownwithoutlogon /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000035731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.218{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0218700E1A07E59C8D49E88C386C0BE8,SHA256=37BCE49D89F1D97F3DA9E2C1F611A29D4B3F99E4A676C930BE1AB93200439DC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.202{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEC-6227-3408-000000003602}1520C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.202{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.187{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.187{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.187{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.187{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2EEC-6227-3408-000000003602}1520C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.187{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEC-6227-3408-000000003602}1520C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.200{C64CDE3E-2EEC-6227-3408-000000003602}1520C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.149{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEC-6227-3308-000000003602}6412C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.118{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.118{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.118{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.118{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.118{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2EEC-6227-3308-000000003602}6412C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.118{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEC-6227-3308-000000003602}6412C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.129{C64CDE3E-2EEC-6227-3308-000000003602}6412C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.102{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEC-6227-3208-000000003602}1636C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.102{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.102{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.102{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.102{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.102{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2EEC-6227-3208-000000003602}1636C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.102{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEC-6227-3208-000000003602}1636C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.101{C64CDE3E-2EEC-6227-3208-000000003602}1636C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.071{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}4264C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.071{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.071{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.071{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.071{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2EEC-6227-3108-000000003602}4264C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.071{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.071{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEC-6227-3108-000000003602}4264C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.076{C64CDE3E-2EEC-6227-3108-000000003602}4264C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.033{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEC-6227-3008-000000003602}3000C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.033{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.033{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.033{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.033{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.033{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2EEC-6227-3008-000000003602}3000C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.033{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEC-6227-3008-000000003602}3000C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.037{C64CDE3E-2EEC-6227-3008-000000003602}3000C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 354300x800000000000000018944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:43.526{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50444-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000018943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:45.523{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA808807371EEBF1A10531FF55EFD804,SHA256=C0CDDC1EFFC2A909B6C3EFA5D9A5DA17D781086D2FE5437A767A20ACECE38BB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.919{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EED-6227-3F08-000000003602}7164C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.919{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.919{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.919{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.919{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.904{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2EED-6227-3F08-000000003602}7164C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.904{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EED-6227-3F08-000000003602}7164C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.919{C64CDE3E-2EED-6227-3F08-000000003602}7164C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.888{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EED-6227-3E08-000000003602}6640C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.888{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.888{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.888{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.888{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.888{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2EED-6227-3E08-000000003602}6640C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.888{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EED-6227-3E08-000000003602}6640C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.896{C64CDE3E-2EED-6227-3E08-000000003602}6640C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.868{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EED-6227-3D08-000000003602}5636C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.851{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.851{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.851{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.851{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.851{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2EED-6227-3D08-000000003602}5636C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.851{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EED-6227-3D08-000000003602}5636C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.860{C64CDE3E-2EED-6227-3D08-000000003602}5636C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 12241200x800000000000000035801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.localT1089,Tamper-SecCenterDeleteValue2022-03-08 10:24:45.835{C64CDE3E-2EED-6227-3C08-000000003602}5340C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth 10341000x800000000000000035800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.835{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EED-6227-3C08-000000003602}5340C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.804{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.804{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.804{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.804{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.804{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2EED-6227-3C08-000000003602}5340C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.804{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EED-6227-3C08-000000003602}5340C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.818{C64CDE3E-2EED-6227-3C08-000000003602}5340C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.788{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}2012C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.788{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.788{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.788{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.788{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.788{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2EED-6227-3B08-000000003602}2012C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.788{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EED-6227-3B08-000000003602}2012C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.793{C64CDE3E-2EED-6227-3B08-000000003602}2012C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000035784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.435{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EF9709D83F9181EA3C947879C10C42A,SHA256=C6E3EBD6E44C2D96577E3DDA4BAB1E316D28571E211C18F2420AE38CF5AB6254,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:42.621{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51133-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000035782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.087{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EED-6227-3A08-000000003602}5748C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.071{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.071{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.071{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.071{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.071{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2EED-6227-3A08-000000003602}5748C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.071{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EED-6227-3A08-000000003602}5748C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.083{C64CDE3E-2EED-6227-3A08-000000003602}5748C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.052{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EED-6227-3908-000000003602}7020C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.052{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.052{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.052{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.052{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.052{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2EED-6227-3908-000000003602}7020C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.052{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EED-6227-3908-000000003602}7020C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.058{C64CDE3E-2EED-6227-3908-000000003602}7020C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.034{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EED-6227-3808-000000003602}2656C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.019{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.019{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.019{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.019{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.019{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2EED-6227-3808-000000003602}2656C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.019{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EED-6227-3808-000000003602}2656C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.030{C64CDE3E-2EED-6227-3808-000000003602}2656C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000035758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.localT1089,Tamper-SecCenterSetValue2022-03-08 10:24:45.019{C64CDE3E-2EED-6227-3708-000000003602}100C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealthDWORD (0x00000001) 10341000x800000000000000035757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.019{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EED-6227-3708-000000003602}100C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.003{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.003{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.003{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.003{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.003{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2EED-6227-3708-000000003602}100C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.003{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EED-6227-3708-000000003602}100C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:45.016{C64CDE3E-2EED-6227-3708-000000003602}100C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.987{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEC-6227-3608-000000003602}5580C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.987{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.987{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.987{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.987{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.987{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2EEC-6227-3608-000000003602}5580C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.987{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEC-6227-3608-000000003602}5580C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:44.998{C64CDE3E-2EEC-6227-3608-000000003602}5580C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000035884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.735{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A67B5E6F4F4B43A33479C51CF4C7BD,SHA256=97AA81591EB5D442D290654B68127B23783E127EA5F76C5417CE0582594D7A29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.704{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2FD1E91D546A11A88C91A258229F760,SHA256=B774EE960AC11488CB5A0A0F47219DFCD54D8F83D9BB5E35530D120EAAE38C5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.688{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEE-6227-4608-000000003602}5648C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.688{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.688{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.688{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.688{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.688{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2EEE-6227-4608-000000003602}5648C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.688{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEE-6227-4608-000000003602}5648C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.693{C64CDE3E-2EEE-6227-4608-000000003602}5648C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /t REG_DWORD /d 1 C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000018945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:46.554{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B33D7491C050EB9E93973AD629303E08,SHA256=F4F8A45D005F66F31C33A2C7373AC48C4261E185E42884E463DB3BBD980A6102,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.672{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEE-6227-4508-000000003602}6204C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.672{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.672{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.672{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.672{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.672{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2EEE-6227-4508-000000003602}6204C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.672{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEE-6227-4508-000000003602}6204C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.677{C64CDE3E-2EEE-6227-4508-000000003602}6204C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoThemesTab /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.651{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEE-6227-4408-000000003602}4844C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.651{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.651{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.651{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.651{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.651{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2EEE-6227-4408-000000003602}4844C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.651{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEE-6227-4408-000000003602}4844C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.658{C64CDE3E-2EEE-6227-4408-000000003602}4844C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v TaskbarLockAll /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.635{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEE-6227-4308-000000003602}5356C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.635{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.635{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.635{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.635{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.619{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2EEE-6227-4308-000000003602}5356C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.619{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEE-6227-4308-000000003602}5356C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.634{C64CDE3E-2EEE-6227-4308-000000003602}5356C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.588{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEE-6227-4208-000000003602}7144C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.588{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.588{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.588{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.588{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.588{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2EEE-6227-4208-000000003602}7144C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.588{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEE-6227-4208-000000003602}7144C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.598{C64CDE3E-2EEE-6227-4208-000000003602}7144C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.572{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEE-6227-4108-000000003602}1612C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.572{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.572{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.572{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.572{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.572{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2EEE-6227-4108-000000003602}1612C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.572{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEE-6227-4108-000000003602}1612C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.578{C64CDE3E-2EEE-6227-4108-000000003602}1612C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 0 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.566{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEE-6227-4008-000000003602}6388C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.550{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.550{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.550{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.550{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2EEE-6227-4008-000000003602}6388C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.550{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.550{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEE-6227-4008-000000003602}6388C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.562{C64CDE3E-2EEE-6227-4008-000000003602}6388C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000035826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:46.004{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E173F343D49FEB182FD4906E556D572,SHA256=6E91121F1756610BD2EDB7710819105AE99A37468A026C80C9568CF3CB207DBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:47.559{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16C0032072CD465EF43D31EFC100F13,SHA256=C2F1F28F86C3AA97B84D3E9FA7F596BFD59CA0B8C12DDABEB3861A5B4770B9CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.903{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAFA7C1783A8D32C7B04FD85CAF46C59,SHA256=5D8B904EFCEF28671425C872441B2A220742B6B1CD94AF16A3B7907D147F127D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.888{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31C1843547F110D0F8405A89D3EC1B2,SHA256=24368C9EB132752D267BC56615CE228B3BD1A8A6B0276A26E4BA7C715A7EEDD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.888{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=118BAE3804D03F2E14B3E60455D9A22C,SHA256=C25DBEFF9AA185E7D1FB28E361D61F463FABE7F8BF142AE95551DEC7B74DC72A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.519{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEF-6227-4D08-000000003602}5972C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.519{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.519{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.519{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.519{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.519{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2EEF-6227-4D08-000000003602}5972C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.519{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEF-6227-4D08-000000003602}5972C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.519{C64CDE3E-2EEF-6227-4D08-000000003602}5972C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.503{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEF-6227-4C08-000000003602}6652C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.488{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.488{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.488{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.488{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.488{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2EEF-6227-4C08-000000003602}6652C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.488{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEF-6227-4C08-000000003602}6652C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.501{C64CDE3E-2EEF-6227-4C08-000000003602}6652C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoThemesTab /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.472{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEF-6227-4B08-000000003602}4768C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.472{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.472{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.472{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.472{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.472{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2EEF-6227-4B08-000000003602}4768C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.472{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEF-6227-4B08-000000003602}4768C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.472{C64CDE3E-2EEF-6227-4B08-000000003602}4768C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v TaskbarLockAll /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.450{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEF-6227-4A08-000000003602}5916C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.450{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.450{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.450{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.450{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.450{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2EEF-6227-4A08-000000003602}5916C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.450{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEF-6227-4A08-000000003602}5916C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.456{C64CDE3E-2EEF-6227-4A08-000000003602}5916C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.435{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEF-6227-4908-000000003602}3856C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.419{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.419{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.419{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.419{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.419{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2EEF-6227-4908-000000003602}3856C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.419{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEF-6227-4908-000000003602}3856C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.431{C64CDE3E-2EEF-6227-4908-000000003602}3856C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.404{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEF-6227-4808-000000003602}4444C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.404{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.404{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.404{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.404{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.404{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2EEF-6227-4808-000000003602}4444C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.404{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEF-6227-4808-000000003602}4444C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.413{C64CDE3E-2EEF-6227-4808-000000003602}4444C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.388{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EEF-6227-4708-000000003602}1484C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.388{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.388{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.388{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.388{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.388{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2EEF-6227-4708-000000003602}1484C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.388{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EEF-6227-4708-000000003602}1484C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.395{C64CDE3E-2EEF-6227-4708-000000003602}1484C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000035944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:48.902{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5559D8F3189F7EA6FF296FA104C628B0,SHA256=32FFA13B2067AA0A1A0EA6E2B374C2B44D93100ADDB3BBA62140326CAB33B2C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:46.437{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50445-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:48.559{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12668B90B4959AB90C01C0AA2BA7E52E,SHA256=8E388CE2EB0E7323CB490CD1E26C9B1843C51041D778F477DD0C48C118AE6481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:49.574{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E9992BDB2118D32ED44F0CF1653557,SHA256=B5B334BC3C0959BEA9D7CA358706DC13992CC65ECB8A8D6348140C85ABC7B11A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.471{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EF1-6227-5208-000000003602}3208C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.464{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.464{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.449{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.449{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.449{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2EF1-6227-5208-000000003602}3208C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.449{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EF1-6227-5208-000000003602}3208C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.463{C64CDE3E-2EF1-6227-5208-000000003602}3208C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoColorChoice /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.433{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EF1-6227-5108-000000003602}4232C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.386{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.386{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.386{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.386{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.386{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2EF1-6227-5108-000000003602}4232C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.386{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EF1-6227-5108-000000003602}4232C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.404{C64CDE3E-2EF1-6227-5108-000000003602}4232C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispAppearancePage /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.286{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EF1-6227-5008-000000003602}6712C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.249{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2EF1-6227-5008-000000003602}6712C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.249{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.249{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.249{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.249{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.249{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EF1-6227-5008-000000003602}6712C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.262{C64CDE3E-2EF1-6227-5008-000000003602}6712C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.249{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EF1-6227-4F08-000000003602}3948C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.218{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.218{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.218{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.218{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.218{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2EF1-6227-4F08-000000003602}3948C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.218{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EF1-6227-4F08-000000003602}3948C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.229{C64CDE3E-2EF1-6227-4F08-000000003602}3948C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.186{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EF1-6227-4E08-000000003602}5376C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.171{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.171{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.171{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.171{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.171{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2EF1-6227-4E08-000000003602}5376C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.171{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EF1-6227-4E08-000000003602}5376C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:49.184{C64CDE3E-2EF1-6227-4E08-000000003602}5376C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoVisualStyleChoice /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000018950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:50.574{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F4CFCFE894C6B3398BA93379CF6147,SHA256=C53F1CF07F97BE677F9344DA32087689A0C13BBA7309775AC79922AD72BCDD0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:47.705{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51134-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000036026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.304{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EF2-6227-5708-000000003602}7008C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.304{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.304{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.304{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.304{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.304{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2EF2-6227-5708-000000003602}7008C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.304{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EF2-6227-5708-000000003602}7008C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.308{C64CDE3E-2EF2-6227-5708-000000003602}7008C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoColorChoice /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.271{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EF2-6227-5608-000000003602}6584C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.271{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.271{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.270{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.270{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.270{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2EF2-6227-5608-000000003602}6584C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.270{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EF2-6227-5608-000000003602}6584C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.270{C64CDE3E-2EF2-6227-5608-000000003602}6584C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispAppearancePage /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.233{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EF2-6227-5508-000000003602}5632C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.233{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.233{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.233{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.233{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.233{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2EF2-6227-5508-000000003602}5632C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.233{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EF2-6227-5508-000000003602}5632C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.241{C64CDE3E-2EF2-6227-5508-000000003602}5632C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.217{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EF2-6227-5408-000000003602}6276C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.217{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.217{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.217{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.217{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.217{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2EF2-6227-5408-000000003602}6276C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.217{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EF2-6227-5408-000000003602}6276C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.223{C64CDE3E-2EF2-6227-5408-000000003602}6276C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000035994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.202{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2EF2-6227-5308-000000003602}1632C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.202{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.202{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.202{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.202{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.202{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2EF2-6227-5308-000000003602}1632C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.202{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2EF2-6227-5308-000000003602}1632C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.208{C64CDE3E-2EF2-6227-5308-000000003602}1632C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoVisualStyleChoice /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000035986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.187{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78A2E867BAC8040E6D8098F1CBCC09BF,SHA256=ACA6C414280622DA653DEB7F50C54C83A0AAB4196DC96E0960E742BA58E97D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:50.149{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987C3783782628E4143D4B5B0A98821D,SHA256=DD9B8FE8C5AEDCB67D8C57907847D98C1B518BED27DE035228EA79D31056AD3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:51.574{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6C6748D4423B2F862A81C0F79428BC,SHA256=3D06052D1A456797AF98ED1984F6EEFD2F92C1763EBC77D2012EB860E95B69A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:51.334{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=185E005F6B432E56F528623C97A0C7F1,SHA256=D119E97BE486094CFF38C0164B16223F464412F9B4A4C3A98E157CC56AD01D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:51.334{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=212C2B307FA12D4E7DA31E5907CEC6E3,SHA256=46FB894E60CBC6869047BD4E03F38179756A3F78FCF1B794521C78A17E131F07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:52.590{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42171F15C2F700C9099BD5D33A98CE72,SHA256=138DB28EC9A44063E01C4F095764ED63AECE24362BA8BC6839EE64FA03E03D8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:52.986{C64CDE3E-1CE6-6227-1000-000000003602}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CEDCBFDE78BA24D99BABA9A33A7B03FA,SHA256=DA2F22363EACFB324A2168DF12109716480CDAD1FAC9FD6DB941398DB1780791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:52.348{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A237FEE5586F45DCF762345FA1F9B30,SHA256=C44072AF535EB87274F54766A5446C6091034E2799019EFAE484F235FD4FFB2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:53.590{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=472B57EC257D3CB357B155F0EE3D4495,SHA256=36D8FB9646B57E758B995E9C0DCA25F556960CE07A9A7487CA40FA766BDE9B6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:53.366{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E3C50AF9B626AA38C011AC2AC374F9,SHA256=DB6354A197F56FDAD33821A2402577AE2AB400C25CB495B5A52CD3E42F4A2F7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:52.421{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50446-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:54.590{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D24F55BFC0A81755735C1660BF9880,SHA256=012613B100AE9217871A2D31688F94AC3233B62F73F19A26707B62A0F0D652E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:54.400{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ACB70BA09FF06C5DA3E361CA15DFD25,SHA256=8F8B6FA8F6DC5D65A78F0C584898E12D2865C7D1CF5DBFADA77E2FBCF7908CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:55.590{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=450DDEF6F345F3FA51BBFD523EABE491,SHA256=7885ED3ABBA7EAA895AD808FB824E8C7D578FB9883D1B1ABE9BEF234917684C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:52.740{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51135-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:55.431{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C81C4A3AAAE0FB2008C2DF019FAEBD,SHA256=2CAA11225FA744AF8127CB8E399B7D3C2FBE7CE5956DB5B16CABE06C2D469302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:56.605{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C53A3C51845734121ADDC8BDBCA243B,SHA256=162B7B12ED091EF0E9BF8BAF7F99F3A50DF69B182A8F6BA0AC329820319AF494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:56.464{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA92F97FFF42F67330A43EC77638F25,SHA256=42E4E43A001FEE18E14A986659051C86A25B211AEFD35AA048FC73358A8FD9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:57.793{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5313F2E64BC5BB71DBC7376A80FD7B75,SHA256=68CDE75E5B6C32891E9181ADFBA93023BB36B91462FACEAAF3A6B1DC93A9A129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:57.498{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=274A9A318885786B4382A48C914B7BB4,SHA256=86A1E5CFE4A6E2C6750D42810FA9529A7EC69174F2C2CB08B42E2FEB02143C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:57.067{C64CDE3E-1CF7-6227-2B00-000000003602}2896NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:58.887{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67407C8FE5888D019D62CEFB75E9D447,SHA256=7A4A12B7E291309AFE41B4130C7787FB71D5CA36B7C49C59819538AE92A31DF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:55.600{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51136-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000036040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:58.499{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89AFDB372904954C09EF4EA3E1B93FB8,SHA256=1180910454CA6F55B3A68C15691F10FC2148E1FA5A2453CB42254B24049EF4AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:58.346{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\glean\db\data.safe.binMD5=358293E04890BAEED5F8B868E2A871C4,SHA256=1E76AE430FB84573DDAA8984A60B35BD44EB83A0DBFEBA6D0D595255DBB01241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:59.934{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB6DCD075A10D5469461C6214BDC17B,SHA256=5D8916295AFEC7990ADD6B7CE02D5E85C8E114BE82B327E92219165D27B22806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:59.545{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B806C17DA9D60DEE95711442252DB1C4,SHA256=E57924A2D5EC8ED195B22E01469186A1580897DDF6E1D9A38F61CD31145AAF44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:00.996{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD142C2E6037A21FAE621952E042F51C,SHA256=859CB9F1A7574DA8B336F690BF612AC1932644870C6D453129E4A3BB2B84EB48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:00.563{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B2F9AFD164A25DD55381F816811D468,SHA256=A6757352D10C2FC68ED5B7D713E492AF3C0C8BBDDDE29E577E96393DF536AFC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:24:58.771{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51137-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:01.598{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C36B223051DC73CCAA9D21B94B46E184,SHA256=68D4FFDDC2E98E9DFD064A4241F2C51A131DCDC678DFE0F55882B36539E53E8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:24:58.390{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50447-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:02.613{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D45AE880AF324D4099B7F9757481A3,SHA256=A5522A8CC84D2670BE0CCA1E0C30C3A82024BAE0AB9F2BD75054A05C6DBC8277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:02.215{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF438B4AAC123EA222C2E8C97E8C0FE8,SHA256=616E8031867D18823257F988666CFCB32ED66D78103C104DB8AD5BC741073B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:03.628{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16BC11D0915EAC65A98AB27E388064F,SHA256=70250617C7D908C0E43924A87D8E5652488DF53E0CD0DD8D8414AD01B96C6559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:03.215{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEBBD380EBBECE9A0526C291875F2359,SHA256=A78DB840052A2E7DC4BDB2EA003E00579029F23A2338FE3DA2D659F74DB2F0E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:03.361{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\glean\db\data.safe.binMD5=E98F5B107AF244EE877EADE595D7228F,SHA256=E92B3D361379AE1CF5EB88B2D1826B7D85F1F0C5E2324DC671BA9B5981A9D90E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:04.989{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\respondent-20220308090810-074MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:04.649{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B07750FB15A0474A2E814F0A3B1F9F,SHA256=0953908653A8087E11DCF7B01AF00A8A902F5E40C016A80C6E4540FA429E9BEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:04.232{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AC5F8183340CAFA23C1A8B50B4B359B,SHA256=997C94F557EBF19312DF3124F3A604C7A82C239348BDE4EAC129925B804028EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:05.669{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489C97A66465F4B99DFA615570F3CE75,SHA256=CF0B176F1E0E4C58928630F30866977EFB4CEB8F4BB2E5DFE323776E01435E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:05.293{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7266AA1097DFDC6B117686187F6178A,SHA256=F009FD551449DC42AFC0A66848E966C3B5BEAEFF4E140CA75D20760D5362E8B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:06.309{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=433699A5DD957AD7C7BF671AB2108BEF,SHA256=1E6245A9295FCEC994F807E73C4B4329ABCD9A4993ED5DEA4D6883B4E0FC94E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:06.687{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9937B3F889330EED9DE5876E6D4A46BA,SHA256=43105E27281257BFA474EC6C8D0BC4C1CFBD4A953514CCB726BB03417F60E6A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:06.002{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\surveyor-20220308090808-075MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:03.421{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50448-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:07.407{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5093746FE17B199DAE83037A5CDBDF01,SHA256=FB3218FB473BCC4B5C16A57068AB50D1827E0B323570E2149158845674B20893,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:03.803{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51138-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:07.702{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E72DEB2B1FBF0D0367FA8A9156492063,SHA256=B1F4243889C28AFC4BD9BDFAD5C65DF55335B1987C8128CE9AC43707A96AD74B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:07.071{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:07.071{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:07.071{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:07.067{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:07.067{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:07.067{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:07.067{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:08.547{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D76286A2A83F378CDCA66C0897DFA476,SHA256=9D4B6B695D8C982A5288EF4260F0D538CED13D485E9716483B288EC110EE3945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:08.718{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9887A708EEBD2452D9A678F6E3168F9A,SHA256=A02FF5E144AAEAD8C9B7B1D7ECAC9ACD3A5197F445705B5F832D8CF11A12F8D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:09.657{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36781EA717CAA7DA25C38CF009DF57D9,SHA256=D0C6EE75596036B8EE39508269B436A02ACF0CE1B769F5C53C0727705A03AE57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:09.748{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87DEA8A65822EC2AADB4A2DAB91492F6,SHA256=368544FAA1EB5ACBB736FCEF085F439D5939F5D31163F0D7DA9394674DF5DB9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:10.672{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24E57DDE80722311A579EA5D3ACE2EAA,SHA256=4C5247109382A11BC5221A3A4CA8C32467F029B02F2FCFDB2EB26437D2BAF2FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:10.749{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1160922CA2DE5FD0BA3D8EBDA347C55,SHA256=4D6CA18FE73EB95CDE4C0D4CAD13F40EC6080C6735C8DEFC22C022CAC696B70C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:11.688{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F1D1D92F3F5FE128C4977B7FFD1282,SHA256=2172EC21C83AC63FED079C8E670395517D4DF2691101D7F0378A3343F0706753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:11.770{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B81647BF53B3DD3A93537134263B322,SHA256=D7483E1DB8569EA971D88F21200BC330EB82050D12D2401D9046003E7093F8CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:08.426{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50449-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:12.690{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B258F30E7A8C7887A479455AAA3FD317,SHA256=2FAD6B9CCA2771E5213E72F7B53D312DEE442902CF7495DBDD929DDB60F0811C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:09.603{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51139-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:12.786{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C374A07887E9BF7F85085B5B599D759,SHA256=3AC084ED5E0281E2B97D808EC332F288E4D11B3FEA92983E64256AD9C5D73022,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:12.272{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\respondent-20220308092036-062MD5=AD989BA5FC8211C68DEB145594DF29B5,SHA256=A92C9E9F939B5FA1DAF2D9D45D4066E44A16133766F98754DF452EC8E38921ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:12.467{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CE6-6227-1500-000000003602}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:12.467{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CE6-6227-1500-000000003602}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:12.466{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CE6-6227-1500-000000003602}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:13.694{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3331B53551B0FEC75E54AE42BDE28F0,SHA256=AE1D249E7CD4440D3FECA3BE6CDF25BB0B881EF128DD0C6E2EED24BB84827885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:13.786{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CE8E2C17F690E8A9FD448D2938F4AAC,SHA256=78B02646870C447B655773EDC819724C2CB16AB6C1647A9FC2D8EA81E3F05872,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:13.286{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\surveyor-20220308092033-063MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:13.533{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\aborted-session-pingMD5=14A733202E9F0B07735D3CE9DAB6DDE7,SHA256=039E9FB1E77F68D7EF5B0A8A5D7177F23CA9422EF766B351E23A2155D119F64C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:14.696{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87F7EB0D5712B3A279C18C91732469F0,SHA256=1013684F02C414FE621D0F35258F50C9403E5386350AB3C9A40F12BB22734FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:14.817{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1704C6C3FF7696E2450A9DEA72E21A14,SHA256=D992AF9CF9E7924D62ABFCBD15350FD60B013CB44D6403E913DF568FAF4A49AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:14.287{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:14.287{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:14.287{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:14.287{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:14.287{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:14.287{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:14.287{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:15.696{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF096E7DEBE4F974BEAC450AFA66451,SHA256=231A838B34083249A6D905695FE668B67D6D0009A0B2D97151B9E9262BC5D626,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.985{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.985{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.985{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.985{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.932{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}2564C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.932{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2F0B-6227-5E08-000000003602}2564C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.932{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F0B-6227-5E08-000000003602}2564C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.939{C64CDE3E-2F0B-6227-5E08-000000003602}2564C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.901{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}6412C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.901{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.901{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.901{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.901{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.901{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}6412C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.901{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{00000000-0000-0000-0000-000000000000}6412C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.906{C64CDE3E-2F0B-6227-5D08-000000003602}6412C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.885{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.885{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.870{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F0B-6227-5C08-000000003602}216C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.870{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.870{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.848{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}216C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.848{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{00000000-0000-0000-0000-000000000000}216C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.860{C64CDE3E-2F0B-6227-5C08-000000003602}216C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.832{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F0B-6227-5B08-000000003602}5380C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.817{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.817{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.817{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.817{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.817{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2F0B-6227-5B08-000000003602}5380C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.817{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F0B-6227-5B08-000000003602}5380C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.826{C64CDE3E-2F0B-6227-5B08-000000003602}5380C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.786{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F0B-6227-5A08-000000003602}5468C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.786{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.786{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.770{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2F0B-6227-5A08-000000003602}5468C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.770{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.770{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.770{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F0B-6227-5A08-000000003602}5468C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.781{C64CDE3E-2F0B-6227-5A08-000000003602}5468C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.769{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F0B-6227-5908-000000003602}5688C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.748{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.748{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.748{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.748{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.748{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2F0B-6227-5908-000000003602}5688C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.748{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F0B-6227-5908-000000003602}5688C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.759{C64CDE3E-2F0B-6227-5908-000000003602}5688C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.732{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F0B-6227-5808-000000003602}3832C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.732{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.732{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.732{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.732{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.732{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2F0B-6227-5808-000000003602}3832C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.732{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F0B-6227-5808-000000003602}3832C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:15.736{C64CDE3E-2F0B-6227-5808-000000003602}3832C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000018981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:16.712{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBDE8D9D6A0E3BC9854C5B463A45770,SHA256=D87E21E6EFA4B300FCEE597ABC46DAFDA01440818475684D0E1C516B052342AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:16.901{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40F5B780B67CB543D953743245B72C7,SHA256=2DA07001DC7A8EE9B3C8333E210859CE2F5D0F66C7FF80FD390B7A5CC90A0B67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:16.816{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:16.816{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:16.816{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:16.800{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:16.800{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:16.800{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:16.800{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:16.747{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9AB0309D0CFB4E583557CD3FA1530D7,SHA256=CC398C2BD3C67AEA0BC5BFD6DD39A2FC325690C6D3035844C9269245A7A8A980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:16.747{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89FE27F9564E6B62FB091B663F553464,SHA256=375BA68FD97C6CD0D1BD445556DB0E5C8845BD4C632ED1B25F5BB358681E4353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:16.216{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD6E1CA4C9A1876E61F9C90CB61FE0B,SHA256=781709626E7DBBFB46D1C9757F8BD34C8A6A490F2A8EF7BD5AED8B3CBDB00C73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:16.017{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F0C-6227-5F08-000000003602}6788C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:16.017{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:16.017{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:16.017{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:16.017{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:16.017{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2F0C-6227-5F08-000000003602}6788C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:16.017{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F0C-6227-5F08-000000003602}6788C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:16.025{C64CDE3E-2F0C-6227-5F08-000000003602}6788C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000018983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:17.714{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2FDDFB8F43219D644AD3FAAD5C8FED,SHA256=A3DB00E470578A18FADF14F899403308A8A13CFFABCBA0F9E344A6B73FC7C44E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:17.916{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0597BD366F53043C58F8DB98D2AD89A1,SHA256=513D49B3B31B77E8C27F60D0A073541691DFB9771119B58F25D2FA7FD728CFA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:14.356{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50450-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:18.728{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674BE50A661B32D4DF569213368DD66B,SHA256=D51E081F55112758D3DAA08E5EBDDB1AC8D5151330828E4CC13E6AE3CE73D419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:18.918{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDDA8BFE37A56A135285F72C1E51BACC,SHA256=D25C7861CA8A95F457509974DCFED03BE405C015173178149932674B1120715E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:14.701{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51140-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:19.933{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76AADA1318AB0820B3CC411E8D86C0F7,SHA256=6FA50675E779E59810247BD71A264CF6C7AEB3F9DC99805921142756FEFB439C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:19.728{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F6B727BB789F50EFDD304FBE57C888,SHA256=2A8B28CEA4DF4391075C0350AA63C4F2FC575023F5D982CE6CCBA74D86D614B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:20.775{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06702407845FC5344586AA9C4A84F544,SHA256=E827176F78D499F152BF86E26D6861CDA3B01B3675EBE5EDC7AFF20DFE79D8AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:20.967{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2F10-6227-6108-000000003602}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:20.967{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:20.967{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:20.967{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:20.967{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:20.967{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2F10-6227-6108-000000003602}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:20.967{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2F10-6227-6108-000000003602}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:20.968{C64CDE3E-2F10-6227-6108-000000003602}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:20.951{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9468FC792B38CA165DD5328D41213E,SHA256=B7B44929221EBB067055FBB96F71B054A9E2EDCB07CB129B2840C5A8740A44F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:20.287{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2F10-6227-6008-000000003602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:20.287{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:20.287{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:20.287{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:20.287{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:20.287{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2F10-6227-6008-000000003602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:20.287{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2F10-6227-6008-000000003602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:20.288{C64CDE3E-2F10-6227-6008-000000003602}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:21.821{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=278652E35F21C919A8C10DEE18F2D244,SHA256=23CAF4EC22E240B4B9B694A50C1DF9587C198F12AA0C579DBB0C0E8F5C235B6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:21.984{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B81CD0C2A55B37D1E28BFCDC09A3EF8,SHA256=F0E86A52A646F1823A03B6D67195F511DF9244589DAAFAAAC9166E7903D4EDA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:21.300{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9AB0309D0CFB4E583557CD3FA1530D7,SHA256=CC398C2BD3C67AEA0BC5BFD6DD39A2FC325690C6D3035844C9269245A7A8A980,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:21.216{C64CDE3E-2F10-6227-6108-000000003602}60603448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:22.962{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573C75FEDCB13EA4047024CE7205F1AE,SHA256=312E4521FE7935FE4459E35ED9BCD5D49C4272F520BF24FCFCB878077C523BD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:20.312{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50451-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000036188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:22.690{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2F12-6227-6208-000000003602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:22.690{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:22.690{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:22.690{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:22.690{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:22.690{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2F12-6227-6208-000000003602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:22.690{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2F12-6227-6208-000000003602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:22.691{C64CDE3E-2F12-6227-6208-000000003602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:23.993{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43E8681AAB9650F993314682A59754D,SHA256=16C74C0D64337DEFBC9FAD95370A259EFD3F25B6E2654EE9FDD9EB0382B83F42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:23.785{C64CDE3E-2F13-6227-6308-000000003602}60885560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:23.702{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCCD4AEDC38A2AED8989FB1BF9B7ED04,SHA256=0832509F3A3709DF676FD2C9F0BE20FAF069602ADD1BEA8860454FAA376E09B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:23.615{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2F13-6227-6308-000000003602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:23.615{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:23.615{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:23.615{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:23.615{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:23.615{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2F13-6227-6308-000000003602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:23.615{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2F13-6227-6308-000000003602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:23.616{C64CDE3E-2F13-6227-6308-000000003602}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:23.016{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C675F4151018FF38854C0D9163F1E559,SHA256=7FAE66147DDD179F866634096D9171534F80DDD70345332B65D8B4ACB5A1CD32,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:20.668{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51141-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:24.069{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E3EBF4D1093EC413CE1F92528A4667,SHA256=511E4B09737DDE56527212DA29D1850C55E1C47DBD6E3F1C3FE0F92CCEC9B746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:25.024{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB30CC40FEAE64882747F1490E5E01B,SHA256=4745B2D88E190DAF3EE37B7BB145DE9465B0C31E80B1E82635F328FFC2D44DA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:21.784{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51142-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000036203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:21.784{C64CDE3E-1CF7-6227-2800-000000003602}2856C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51142-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 23542300x800000000000000036202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:25.084{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74501557A3B81A4AF6D2274DE43DCB29,SHA256=B6239D754316F592D5CD65B22783F2D29AAF5BB661A42503924C60AF03F802AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:26.071{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5620E793DD1B0AA4303E2992DC271C35,SHA256=4E63550C26A07BC728D3C77DC90CA91D04587E9F0D4092E0CA2C862F146B6D00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:26.732{C64CDE3E-2F16-6227-6508-000000003602}4165512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:26.532{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2F16-6227-6508-000000003602}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:26.532{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:26.532{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:26.532{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:26.532{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:26.532{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2F16-6227-6508-000000003602}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:26.532{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2F16-6227-6508-000000003602}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:26.534{C64CDE3E-2F16-6227-6508-000000003602}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:26.301{C64CDE3E-2F16-6227-6408-000000003602}44081612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:26.085{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5480FCF69251C89F274B9E707630616,SHA256=B117F4BB28A50699FC48B83AEF61D10D48070EF60FB85820AA63DE545E6B5A6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:26.032{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2F16-6227-6408-000000003602}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:26.032{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:26.032{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:26.032{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:26.032{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:26.032{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2F16-6227-6408-000000003602}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:26.032{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2F16-6227-6408-000000003602}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:26.033{C64CDE3E-2F16-6227-6408-000000003602}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000018994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:25.434{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50452-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:27.145{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E9EA65DC4DCD1A415EEB67E57256A7,SHA256=C821A1814E46686C80CBCF0BA6B514A98FE98AEB4539E7752C80422B5F0BD30E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:27.192{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4576A4521AFA0C96375D7A5F66194E21,SHA256=3AD445C59F773E83FCB585CFB1EA38B39FD2A614D4659F750AE31F9CCA19A193,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:27.126{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2F17-6227-6608-000000003602}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:27.126{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:27.126{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:27.126{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:27.126{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:27.126{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2F17-6227-6608-000000003602}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:27.126{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2F17-6227-6608-000000003602}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:27.128{C64CDE3E-2F17-6227-6608-000000003602}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:27.038{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA146682B75F5625AC8CEAF581BD4053,SHA256=2FD7A63BBC497BA2D96AC5AE67036F79ED7513DE09009D45FC13AFDB39801ACA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:28.317{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66993AB2D0352E99786559E70AD782D8,SHA256=AF4B6B56370E7C4BEDA40C4B46B86BF7CE2192CBACF30062360308A7F1723202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:28.207{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90AB7A012BAA50F7DA56796EF51BAD43,SHA256=58EA4DAE6EC38FD0BDC683F482EC00ED6300D48DB1886F7D1A3D3BA5E6C0A326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:28.139{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AF0D152738E3B714AD6F64CE8CEE0F9,SHA256=7E72B46218F7847335831FF9ACFB1741F04984F25CCF44C41E62B7BF89DB4C29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:29.317{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C45EF93B7840F542FAF3B8379E9B6F62,SHA256=5C289741C24DE6997AC11E6DFB378AFA1524DAA8BB77B4C3F8D2E06FEC0B8689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:29.223{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3AC1862F921C25E46A337976B28F44A,SHA256=B354286A341D0D7084F666C90E2AE28930401216ADCECDB84D78234999EE4278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:30.364{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E23485F40A7BD73B932BFB3AED55C3F,SHA256=926335ABEE77DDFE7D5F08D4E11CDB27F46341A260C63F690CBA4F6E8442C8E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:30.253{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4124FB1A82415D6ACDF1CBB8F9ED304,SHA256=4650125359896FB2EA49C0459C45CADADA071855D0D35348F1F42ABA1AEA351D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:26.607{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51143-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000018998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:31.567{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E6B60E0BF16D6B43AD01DEC77635A0,SHA256=B2F6A4968D3479FDFE41948A9A67505D4C220C1DD3F609B51CD80C221962CC52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:31.290{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674AB79B41EE11BF121D4B21B7E07272,SHA256=642020037AF203FA74AA81A33634FC6F4C9C0C0075A468452341B784C8BF0EE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:32.645{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C041D14AB380EC65A6367074BFB3FD,SHA256=72B13C2032F68888A80DADD66F128F263317E7F7E8BBF701273603F03E4C5CDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:32.305{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C309064EBFB9A3D228D44E949A6F08,SHA256=13F41434D518C902CE3D27EA9431BFF88767C63F031FCF25955359F41D9F22F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.989{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8067A3E6D8924F4137F70BC50595A671,SHA256=DDFE9AFD66BD76F328DB2F5AB91BCC5E58E1D98A35EEF2CFEFD0958840CDEA9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:33.321{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDAD7226445C137C3636751032D2EA6,SHA256=5DB229E1B57C1352EAF55BCD5CA77E185380B6B805B3611B4D8318B18BA9C9BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.692{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2F1D-6227-8205-000000003702}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.692{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.692{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.692{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.692{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.692{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.692{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.692{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.692{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.692{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.692{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2F1D-6227-8205-000000003702}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.692{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2F1D-6227-8205-000000003702}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.693{DCBFC465-2F1D-6227-8205-000000003702}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.582{DCBFC465-1FE0-6227-1200-000000003702}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FB840EA6AF70E84C06D5394C2DDAF90F,SHA256=EA16334D791BF8175716978B342FE60ECF4DA955FC1022DA25F19E40D8392708,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.442{DCBFC465-2F1D-6227-8105-000000003702}27043316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.083{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2F1D-6227-8105-000000003702}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.083{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.083{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.083{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.083{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.083{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.083{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.083{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.083{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.083{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.083{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2F1D-6227-8105-000000003702}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.083{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2F1D-6227-8105-000000003702}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:33.083{DCBFC465-2F1D-6227-8105-000000003702}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:34.352{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A47FA21E1677DB956CA5ACF22A1E97C,SHA256=C89DF84839E5B17637CDE63932DECE9F4C39BBAF39D0F59AD108A4807874A015,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:31.383{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50453-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:34.098{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53E49B47FA65FD7B8E35E7FBB5152EB1,SHA256=70B1C6E278658089968EC5CB736899193E6D78EA2891DA06FD326496F1E8AC85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:34.098{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F18231994771C9AB4D8C929536E4707,SHA256=135E9612325DD61B53C582A796452ECBDC62EDD6E810193062A348435CC0A048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:35.369{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16F82626AC3DC0ACE136B2AEBE8F51F4,SHA256=933FA07014B5FF5A00B2E96DE11A30BB3D6F1A0C73C84736A7B9AD104834AC6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.880{DCBFC465-2F1F-6227-8405-000000003702}36563640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.629{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2F1F-6227-8405-000000003702}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.629{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.629{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.629{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.629{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.629{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.629{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.629{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.629{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.629{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.629{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2F1F-6227-8405-000000003702}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.629{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2F1F-6227-8405-000000003702}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.630{DCBFC465-2F1F-6227-8405-000000003702}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.348{DCBFC465-2F1F-6227-8305-000000003702}11482924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.129{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2F1F-6227-8305-000000003702}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.129{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.129{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.129{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.129{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.129{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.129{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.129{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.129{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.129{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.129{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2F1F-6227-8305-000000003702}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.129{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2F1F-6227-8305-000000003702}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.130{DCBFC465-2F1F-6227-8305-000000003702}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:35.020{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C1E373596591668D3C8421CCF67B2D,SHA256=6FFA1B9E98CC78B1EC91D871287579C26F39DCC1FCE5FF8D18526D93083B4522,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.801{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2F20-6227-8605-000000003702}764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.801{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.801{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.801{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.801{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.801{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.801{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.801{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.801{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.801{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.801{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2F20-6227-8605-000000003702}764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.801{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2F20-6227-8605-000000003702}764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.802{DCBFC465-2F20-6227-8605-000000003702}764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.396{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=443B8ACFECC6408AD58E1980D54AF1F8,SHA256=027B200048DF271A110D9300AAAE8FCF304844D4B5B8EC73E020BAD4ADF5066A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:36.387{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E236637A50566688A6081055974C73C,SHA256=4CE72D6512BACE6DE39DDAE0CC197398E92062244085F52B4383CD58598475FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:32.619{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51144-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.129{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53E49B47FA65FD7B8E35E7FBB5152EB1,SHA256=70B1C6E278658089968EC5CB736899193E6D78EA2891DA06FD326496F1E8AC85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.129{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2F20-6227-8505-000000003702}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.129{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.129{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.129{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.129{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.129{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.129{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.129{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.129{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.129{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.129{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2F20-6227-8505-000000003702}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.129{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2F20-6227-8505-000000003702}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.130{DCBFC465-2F20-6227-8505-000000003702}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:37.411{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9429B7247B6E1C418E9309564FA26B9,SHA256=7E8D5E1E1C1C64927B167C7D59C6B158CBA22A386C0C31169D2684809A799BED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:37.418{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A84D648D34F99CD00A8760ED506716,SHA256=E2FC211345998F994EBCF02ED77F9B4F976A08B00A57CEED0B070330464E5EB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:37.270{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93417EE299A7DD70574197FEE4B02664,SHA256=FD3D586C537DC3DAD27D49CFAB0ECFCE346306086DB95C847103D3F8E93A96F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:37.036{DCBFC465-2F20-6227-8605-000000003702}7642800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:38.428{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BEA06C12F0AFC43A600F8C3114D6EFE,SHA256=D1ACBA40FE92C5B770B2FBC44E7DCF51EDCC86DBCF5962303F1CE922169FAC3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:38.708{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\glean\db\data.safe.binMD5=D49F4E4769F63644026C39E81268C7C2,SHA256=81C221742C1E351D4E0209859B5BFFAE43C3D2B5EA545A98D76D1AFE621177C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:38.448{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4203441679D48CFD00A7210B520154E3,SHA256=D0ED344111BAB15C7EC08870ABC10DEC2010430542A4F7A484E6DC963A4E0AC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:38.209{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2F22-6227-8705-000000003702}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:38.209{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:38.209{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:38.209{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:38.209{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:38.209{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:38.209{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2F22-6227-8705-000000003702}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:38.209{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:38.209{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:38.209{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:38.209{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:38.209{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2F22-6227-8705-000000003702}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:38.210{DCBFC465-2F22-6227-8705-000000003702}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:39.443{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6A7C9ABD61ACC549E1439CD58F4A43,SHA256=C523524940D7FE07F7CD5F910BBA3909826FE05F7ABE7DA12104A4BE7497FC78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:39.454{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A892411CD38F087EC048751688B7B4,SHA256=FD259DF1FF32A1F174704D10F9946D3E34375F25B44A83564A715A0FD958465C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:39.256{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E30824029AE876A08EFE8479020F0406,SHA256=1985B7C93065364867381C87420CDA175393AEEF8727C5AD07B0EC4BEEA31A05,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:36.430{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50454-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:40.678{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8855D5713DD5937AF03CDA7E99160EAF,SHA256=02BA9FF3F16A020850B3B2ABB6D44E3AE3A5038BC70D55B9C69ED717760E489F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:40.456{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C718694F64F46C56304EE25F26842D,SHA256=B9A8CA2C9229D55A131167319042F3161F368F8DDECEA0AB8251D2412A8EF10C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:37.659{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51145-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:41.881{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=477F6012251C5EB558F521444E86AD64,SHA256=52836D7A13DF444569E2251D8AFF7975A99B2DB8BE07C45EC709DA077D0B074A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:41.472{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B310F41B783B4DA2AE6302102F2BF8D6,SHA256=1EC7B4306D3EE24FAEC13B03A176CFC3EBFE7F2031ED80B360584B5CD4EA8A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:42.881{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057E09626A08AACFF94A770BF6A08E39,SHA256=8A6E5799B21CF888B8A101F418F1D7F5C2DD4112FBF010A000B8F72B27114769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:42.523{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=533CFF0E0FCBE44B9B95BC07E0413534,SHA256=1EF7FC22FB50C666D51EEF5FA0B8ABD1A41C2A952ABE193AD926795478341746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:43.896{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4892363901F6E5D2B26D62C7B59C211E,SHA256=C2C3AFDDF54212149B2D8B4065B23CFEE76C68F6C6DF1F46841E99AEE064EC40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:43.722{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\glean\db\data.safe.binMD5=3E3B3E3E954BC69D8247A03FE6F7EABB,SHA256=EB183F59FBBC1A28CF0DDF260F368894CE75131F2A74E858E8825B35941D2FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:43.538{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC01B50AABB9D5BC55F56F14CCB6DF6,SHA256=03E20B51BF7CFF35E665D20A7F412593E334981A67EF8E9CD0EC4171D1688335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:44.927{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C3153D9D5A42174BE340211BD197D3,SHA256=2AB376024A076C126E48B6E585E79ABDF5D85A3EA800BCF6EFBC31B0AAA20C5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:44.653{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B280894BA6DC11638E7ACE0DCD88ACD5,SHA256=04512976271BCA53337E7F174F8518347070790612AB1D61B878FCA8F9F91A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:44.318{DCBFC465-204C-6227-9900-000000003702}3048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:41.431{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50455-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:45.689{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE5C53D38119888DE6B1AF9E21404C85,SHA256=48032F94B53CC0A31770A8C45A0150FCEE18EB7450B6FF731BF3BF5D525B687B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:43.556{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50456-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000019116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:46.115{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=217FB3E7EE2DB26C1956ED62C57E2964,SHA256=2B6D30092E9ACBF5286F3FC59232CABDB7833D0829712C14F2E11CE34495BA99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:46.720{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E14425EC236CCF096B893AD2D3A706AC,SHA256=BD43408461BBE5DDC54E4A8AFD524AFBD53E5BAC7A98EFEC223CFB2413C295F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:43.672{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51146-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:47.162{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4B34CCC37B2A69B9524C0E9FDE9D58,SHA256=C178FC2EC13B57FB7A32B32957AE9B3FAC65B75F163080F51F213F3C30893E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:47.721{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933D33E6EBC6855A65000F99540E0FD5,SHA256=55644087CB9018E4D1EF4DC56507D4E59187AF7FFEE0CB3569606B81565C0EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:48.210{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5FA0ECCD9999E5238647DB306C3BC6,SHA256=6EE5EAB7F726AB4CCC412C9F456881CA977DBBF09B7794417EB8BA2A6047E961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:48.721{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7CF2AEC9D337C3AAFB64904FC27A7D,SHA256=7A1DEF873AAF5D2D1D026F32B91221E14A2EE69164695C779B95F950C3A7B0F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:49.753{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26535ABD4C912ABAAB9A6BB2ECC20B5,SHA256=B16A9A5A1B20E987766E42EF22FE93423593191D19CC8CC7218351B71DB59131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:49.271{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C656066558937F769435A1FDFFC5E6A,SHA256=F2EA26D4F953955CE157533B787CF264E302855C83F90536822E8CC0AE4BAE68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:50.754{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD92206C7B44ACB2FF3847BF980E547,SHA256=F1AB374864298E45E7E2C638CB01703427FC175459EAC3039263F642A201918C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:47.463{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50457-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:50.349{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF3589906756034B09426C0CBCF0FD5D,SHA256=2CE7E2B6C6E72D0F6EA91DCAFDD9E77D97F38C6798E3A069AEF73BD7479E73E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:51.412{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE490DD3E1655602367FFBFA53DB7F3,SHA256=3CF4857FDF68FD07C38407295B5E1AD5B38E811128AF2314CF987DB3A884BB98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:51.773{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B872867788CBC773B43B5EB7E319C3,SHA256=717CADA56758269CC62AA8D60171F1D16D26F5F5E44B2AD5CFB7918ACDD86B66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:51.722{C64CDE3E-1CE6-6227-0D00-000000003602}8841404C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2D00-000000003602}3052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000036264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:48.673{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51147-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:52.443{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3956E8A7C431022D2404D54B7BF6B9EC,SHA256=DCE0C3FF7954467B8ED7FD6A8CCF4064EFEB67A5851F0A4FC24D4306888B595C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:52.991{C64CDE3E-1CE6-6227-1000-000000003602}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9CF5D7EA33B6AFB8615508B4A1859E94,SHA256=ECBA6A1AC306CC656C8AC7E6A778D28BBE368B03CD5AD1DA24D3FDE755950421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:52.791{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314E7AFABDC2BF9D62FD17745D88B3B5,SHA256=1D160174EE08F3A01B3F4FBB850AECC3610596469D4A75E38A406E4FB68D0066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:53.678{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E643848EE6C15988ACCFA90CE78713,SHA256=406E3F1B71419C891F4AC1C3AE33C3E812A451692C9705FB22698289159F4219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:53.822{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C773573AFE4C66A1E79498ED226891C,SHA256=E275F319BC3BBC933DAF2AA04CE6D3FBC3BBF3438EF2B0C9A33D0550ACF8C833,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:53.653{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:53.653{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:53.653{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:53.638{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:53.638{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:53.638{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:53.638{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:54.693{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D312C539E7A78E3C973A7E712B7B3BB8,SHA256=4A4DC9FA9F20784088CA384B6BFDF703C0908B81C050F04537399BCB8DCABB43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:54.837{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E749E5F37912555C41CF42C73633C39,SHA256=C4ED21638E20F6AF57969C9E96353D34780A369B6D0E28090993CCDAF1A10ACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:55.724{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70C42807AADE63F782DBB0DD6B2BFC5C,SHA256=08029F0CD6E600EF83350CEC3029D925533C746DC7C42BB94C6B1D211921838A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:55.857{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8873DED1FC54DCB3D27BB5E6BC2109,SHA256=F12079CAE067967BC053F9A2378981DABD8BEAEAFFD4FFDEE0EA82E54B22E8E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:52.494{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50458-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:56.771{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B18266DA159FDEC2FF260828A280D5,SHA256=B39952DABAA7898415841DB5C1B7E121B8458A9CB446531B51DF4274396E485A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:56.894{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99938244204ABC40289FF1F530E28A37,SHA256=C28FA74B4317BE03039ABAEB0D395C2E3D6BC845D77838F0B4AD443DAF23221A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:57.990{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=537BBFA761C47E7D4DEBC958F0AA5633,SHA256=E8D1DDBF41FCE6E1798F1FB50AE46C9F1EA1D19031F45060431FC9C42FEE3432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:57.897{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55923B81758BFBDAC326E4CB7B88A381,SHA256=866955C5FC1845D597D455E00C316806BE3D9D383D67BD8C9DC934EAD32C9803,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:54.707{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51148-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:57.094{C64CDE3E-1CF7-6227-2B00-000000003602}2896NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:58.897{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB409627C7B2EF969D4A122E46BD1305,SHA256=0831507FF9EEB77D28B6555399F2B8507EEC5FDA76A9A7EC455D983DCDD2F954,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:58.697{C64CDE3E-1CE6-6227-0D00-000000003602}8841404C:\Windows\system32\svchost.exe{C64CDE3E-2D79-6227-C407-000000003602}4760C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:58.697{C64CDE3E-1CE6-6227-0D00-000000003602}8841404C:\Windows\system32\svchost.exe{C64CDE3E-1CE6-6227-1600-000000003602}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:59.928{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE2653ACAB7F0D71F934F9A6B5652225,SHA256=658F2CBEEDF913667F88F9A55C33189285E06E5C3334EAE164399296917DA0C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:59.209{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=024FB29C3FB4925F941012097FCFECCD,SHA256=56EEC5851366856F33317E70E36808AC26FE5151528BD90E5F25DB76724C1943,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:25:55.622{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51149-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000036288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:00.942{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48EC3D38EE7A69C32C16557A127288E,SHA256=6B628FD821D833173F2720A08FE05A655486321A9FD79807BFED0107634A0824,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:25:58.369{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50459-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:00.256{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E186070E8391CB5F13932ED4C2228C4,SHA256=CF02946BDD9680E7B7404376E70073CC4EEC766D1C344CAE999EB917FB78B10F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:01.957{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B5267A2EEC7FCBEDD0EDB44B0145F5B,SHA256=DC9DF24EB5F941581C2FDE221C52C001C61E016941D8F1FD8B5F99575DE86B9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:01.287{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA33FD8C2AE758395256F16475ACD879,SHA256=65C458754830EF741D48970250BF7508E0744D7C2A6C58D3BDC8CC108B43A0D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:02.994{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A7590BEF18E9E8843310A126A8FA13,SHA256=D8D7275F6C2B0344E63864F1F3B7C71B6E9E7777BD3543F9FF69D85C622983CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:02.287{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6381AAA645B51F6A0326A8775CC3DA45,SHA256=05786DEC5FE162F179778C90C82E01D92573AE6F91A4B7FD12F81C680DC33CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:03.381{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D25901EE4859D4113108DAB8DB84744C,SHA256=126F1B3D6D45D47E7257DC3B364F5FCC427A4A63DD9CD94926FE6FEB3D6FF35A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:00.709{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51150-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:04.443{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D51A2A702F63BA4C7EBA42D0DA02B74B,SHA256=07B440D3E132CBED0E15FC59A9963205EC7351D39610494B94987BC0C4865C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:04.009{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=968E2D6CE85F8D65F5ADE84A79E808A4,SHA256=3B5C4A8620B1E4326A73B8C49C7A9499CFAC319CBEB945C08272D7F91B6059C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:03.462{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50460-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:05.521{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F024A8F2576B50FE58FD8AF063687E,SHA256=7F765CD674B0DCD3C269B11A24ED37F2C76DF4013412783623470B5ED732D1A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:05.030{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB12756B6311B117D813CE02A6D23B66,SHA256=84F28406ACE7B602A3D117F4C2D56DF7FF3C238B79705D62B79B9F8D1E126DFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:06.756{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F7C9492361B5075C607D132DDD175B,SHA256=A6DC322732A6F1B7BB6081903E375D69FF198836C54C1DCEA4CF984A8D15E582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:06.537{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\respondent-20220308090810-075MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:06.032{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52211030AE11AC437B44B4066B446A47,SHA256=D9B8517D508D55DFDCDE446111D96F0046E02AF74FCC3C5B4125EB8D9E3E584A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:07.975{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF354072CB89488B9120D2FFE86AB1B5,SHA256=C4D0C748EEAC9CDCCF2150C16857983E30109E48824C38663F8F2FF71898757A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:07.534{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\surveyor-20220308090808-076MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:07.032{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C9DE70E2D82CD7D400341C9962187B1,SHA256=110994B2F5900ECD0A9A80A551898C0B1B762EDBF0A9C0B466F5FBF6EA4555EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:05.711{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51151-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:08.051{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4333AE8FF80C6AFCF0D1E23D04FF296C,SHA256=7E2EA4756B7A74EBAC2FC9D36DA4C93DA11AD350A667C90E6842365BB793F364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:09.007{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D142053A3185E8F34BD0ABB5B7C96A49,SHA256=6EA31096CE22557A17850E3F24F50AFD601012733911511B9B02DDCF78279533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:09.064{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950DD8D592A0A3D3CABA447E872AAEB9,SHA256=E5BD63B699E772909637566D6BB829B7743515489A8EE29F02D3F1204CC87593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:10.069{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A9D794CEC8714497A4B5E3B4CB86B82,SHA256=54D47075F5120DCC23511B8CD9F67F272A2ED7F39DE5B14DD1C6D359AA0B9517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:10.064{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC3321854DF15EEC20CF27637D7B14D,SHA256=A7EB81FFD581822E301A9C23746A7A37170A5B189DF25972122B0D4F99A30144,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:11.083{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B884EB24211F934AEC06186B961B407C,SHA256=97C8A6618386E5EA18C5694437F07EA374AB2F124B8E735BC88A0BDE85CEC4D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:09.385{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50461-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:11.085{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD6EE6E80CB5DF36A2632ED87690B7E,SHA256=97EA1520E45999813CB5BE88FBFD47638EC4E57B56A5CC42C5A5F62C0590376D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:12.085{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0982689709D38FDF46E59A741A57614,SHA256=F89630FF3E3BBACB7C96A867B43DC8ACF65E455A67DA16F074D1AE5701045187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:12.102{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B6DB9FE5653BE155DB0E03C27E9BE47,SHA256=4FC582DDD55F78F9691231939DA3B6EA48B859AE2D54F0F2CA1D784F0058445A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:13.807{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\respondent-20220308092036-063MD5=AD989BA5FC8211C68DEB145594DF29B5,SHA256=A92C9E9F939B5FA1DAF2D9D45D4066E44A16133766F98754DF452EC8E38921ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:13.100{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5EA379E2433DB718650BC6A1F4F4032,SHA256=16E450DE757F440EA31AE084474B66A92625DAD8EE38C064564E2349EAA2946D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:13.133{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64ABC69265856E3C3F783DC56DD2AB1D,SHA256=1E63419D7225BC449152C3CA0CEEA232C2ED86D8CD169EA006DBAF7C10DED622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:14.820{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\surveyor-20220308092033-064MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:14.209{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F535F2C0594C3D4198D9723B724D44C,SHA256=93BDE176B4D812DE12EB0F56ACA23A7A8069F9277EEFC144E02F14F92E217016,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:11.681{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51152-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:14.134{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F264E2F0B8AABDD1C8E59CF89CB89E,SHA256=32EDDCE935813ECB1869A077B0532935E053579432B0985855CCADB3FFCB46BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:15.319{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C78A27F4E0E837AE8CE6114D52847DCB,SHA256=048855B573B46884588040F264A4D36AD3EEB5EAC6DA90107ED0160C89361792,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:15.951{C64CDE3E-2013-6227-1602-000000003602}17405360C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801508D8FD8)|UNKNOWN(FFFFF994344A5B68)|UNKNOWN(FFFFF994344A5CE7)|UNKNOWN(FFFFF994344A0371)|UNKNOWN(FFFFF994344A1D3A)|UNKNOWN(FFFFF9943449FFF6)|UNKNOWN(FFFFF801505F0503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000036309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:15.951{C64CDE3E-2013-6227-1602-000000003602}17405360C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801508D8FD8)|UNKNOWN(FFFFF994344A5B68)|UNKNOWN(FFFFF994344A5CE7)|UNKNOWN(FFFFF994344A0371)|UNKNOWN(FFFFF994344A1D3A)|UNKNOWN(FFFFF9943449FFF6)|UNKNOWN(FFFFF801505F0503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:15.951{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF47df4a.TMPMD5=847FF2A64311A111F9C46697989BEF76,SHA256=E334D2C69DEDC04CD4D70803894D1FCB59BA771169046B5DEDA16196007ACB6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:15.151{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39971D82764223F50802137092B7AE7B,SHA256=CC04DE3E0B3EFA6CFCB024E2F7084B06F8E84B452728CBD3DE3DA67C0445334E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:14.494{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50462-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:16.352{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103D1D3BACC9B019D5876EF6BF0DDB15,SHA256=3E5FC676B838034D8A88770BAF9A9A6D82739D4BB57F671308BC931C18D166FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:16.919{C64CDE3E-1CE6-6227-0D00-000000003602}8841404C:\Windows\system32\svchost.exe{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:16.167{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F204A0B7A591529882736DBC79FFCA62,SHA256=4DD9B3D580D818D16FC55E3EEE66B413D9921483916C95335134B28466FFA912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:17.399{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D039AD814B3A2E2F23F00890FFA2134F,SHA256=BFE605CE31F1C7636B5528B08AC523143AF4C034EEC8424E1AAFFA7B7F4C8222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:17.184{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72DE11A2D341A72C2C1E5EBAF0CD5B6,SHA256=7BB1346EBB0C8A5A2B1EACAF1314073F6B089DAF63996804E1AE8BF980F473C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:18.446{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB2AA6D54C1D5B4E11A820684E6846D,SHA256=DE9F7D07C140E8D056DA5C755CB83D9B38644018FC85DE4788AC4A7FCCCEB246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:18.203{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=111BF58C8F6C1F0BA64991C6D3B65580,SHA256=D6E0EB39D539EDE9C2B0B0E6B8D5E20FB1A91FBA9EBF78FA8E844F190C4E92C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:19.540{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B6A662AAD1230828361BC218B87C3FF,SHA256=436E936045A90D2241BA5B8F7CA71C1F8443E8AF5E002D475EC5F1470E6FF528,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000036325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:26:19.518{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000036324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:26:19.518{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0047ed35) 13241300x800000000000000036323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:26:19.518{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d832ce-0x912db99a) 13241300x800000000000000036322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:26:19.518{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d832d6-0xf2f2219a) 13241300x800000000000000036321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:26:19.518{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d832df-0x54b6899a) 13241300x800000000000000036320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:26:19.518{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000036319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:26:19.518{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0047ed35) 13241300x800000000000000036318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:26:19.518{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d832ce-0x912db99a) 13241300x800000000000000036317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:26:19.518{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d832d6-0xf2f2219a) 13241300x800000000000000036316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:26:19.518{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d832df-0x54b6899a) 23542300x800000000000000036315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:19.233{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86EA17FFE9E5A5882C5674A71CAB84C5,SHA256=CD04857044D0E8CE4125292123DED092227603EEC8A225E8CDE512CC01DF953F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:20.602{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DF8BE40A6343F139DE1D3F475AA8442,SHA256=F826ADA50C81BC5729ADDA73A02D9CBC6A04C23B40E5171389B28ABFE94F1315,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:17.650{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51153-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000036342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:20.963{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2F4C-6227-6808-000000003602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:20.963{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:20.963{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:20.963{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:20.963{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:20.963{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2F4C-6227-6808-000000003602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:20.963{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2F4C-6227-6808-000000003602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:20.964{C64CDE3E-2F4C-6227-6808-000000003602}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:20.301{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2F4C-6227-6708-000000003602}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:20.301{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:20.301{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:20.301{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:20.301{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:20.301{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2F4C-6227-6708-000000003602}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:20.301{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2F4C-6227-6708-000000003602}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:20.302{C64CDE3E-2F4C-6227-6708-000000003602}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:20.264{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D224CC76BE1EB71661AFF39E1B355FB3,SHA256=C74B8C39A27A53A4411A29CC95A6B6CE6C91793847360856E7360541871F07E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:21.759{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294D9A142243947FF4773EC48C657773,SHA256=C672445CA8435F82D2A0114C055258E2E25166D37C4926E06910F58C9C4D1179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:21.303{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69411270CB09F57E3856E8DDA0948F4E,SHA256=1269214054DFEE1FE0BA96EA063D6C74C5276FF382CF2ADCBF6324F05C1775F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:21.303{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF065EAD9B2B9BB15402C22316734E9E,SHA256=4D7FEFE770C88B843D5235D224BD954F6ED665B680E5088E583342D2D81E863A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:21.265{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAE72F942B467D3B633C5CC93FB35307,SHA256=075BFD8D8FAD291267EF57B1366E50CDC385112C7697E8CD17F3C8A2AAFA29E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:21.166{C64CDE3E-2F4C-6227-6808-000000003602}50561556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:22.774{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC62CE1535909FAEFFC81B2DBFB31869,SHA256=1BAB9DAFC291F30CB86D4D0E4E89958C85CCF894E581A94D7AF37FF21568EB63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:22.704{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2F4E-6227-6908-000000003602}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:22.704{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:22.704{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:22.704{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:22.704{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:22.704{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2F4E-6227-6908-000000003602}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:22.704{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2F4E-6227-6908-000000003602}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:22.705{C64CDE3E-2F4E-6227-6908-000000003602}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:22.266{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53AE7B4F879892E2BF3A232F70FCAB6F,SHA256=ED18DBCF15ED3E62866ED32BF1C006FDF2EEA63E4E50E6F31E9C5E78A5A50605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:23.977{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB67D1478ABDE5D8B6A31AF603707AF,SHA256=5D01DACD764571333D4A49FAD815432C075BC304C676DBED31D7A13A367CCD70,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:20.356{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50463-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000036367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:23.835{C64CDE3E-2F4F-6227-6A08-000000003602}5086064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:23.719{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69411270CB09F57E3856E8DDA0948F4E,SHA256=1269214054DFEE1FE0BA96EA063D6C74C5276FF382CF2ADCBF6324F05C1775F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:23.635{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2F4F-6227-6A08-000000003602}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:23.635{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:23.635{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:23.635{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:23.635{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:23.635{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2F4F-6227-6A08-000000003602}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:23.635{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2F4F-6227-6A08-000000003602}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:23.636{C64CDE3E-2F4F-6227-6A08-000000003602}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:23.267{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265A69D3110FC0DE1DD99FEDAACEDA59,SHA256=0B495D05C566412A83CCF97BB59EBAB2959FD1C386247B94E06117D72B2F493D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:24.287{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B61709505D78D3469E5D8EE23CB4BC,SHA256=6C86E1E721DDB7A6D92E2C31300C2D2D2643B1906C328ACC52D02E459124BC80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:24.187{C64CDE3E-1CE4-6227-0B00-000000003602}612820C:\Windows\system32\lsass.exe{C64CDE3E-1CE1-6227-0100-000000003602}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000036370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:24.185{C64CDE3E-1CE4-6227-0B00-000000003602}612820C:\Windows\system32\lsass.exe{C64CDE3E-1CE6-6227-1400-000000003602}1068C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:24.088{C64CDE3E-1CE4-6227-0B00-000000003602}612820C:\Windows\system32\lsass.exe{C64CDE3E-1CE6-6227-1600-000000003602}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:24.083{C64CDE3E-1CE4-6227-0B00-000000003602}612660C:\Windows\system32\lsass.exe{C64CDE3E-1CE6-6227-1600-000000003602}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:25.009{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED4ED7516B86063F33EC98D469B2C46,SHA256=7E9EB3FC28A8BBC928D00F031994168F08015AE04B981B3794A5D044E23FDEFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:22.733{C64CDE3E-1CE6-6227-0D00-000000003602}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local51157-truefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local135epmap 354300x800000000000000036381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:22.733{C64CDE3E-1CE6-6227-1400-000000003602}1068C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local51157-truefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local135epmap 23542300x800000000000000036380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:25.303{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E402A829202D6CC298F96EB215A5BF91,SHA256=8FA7166A11E185A71FD95B56A78363704C309AE731E1DAFF9C3EC412840B5B7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:22.642{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51156-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000036378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:22.642{C64CDE3E-1CE6-6227-1600-000000003602}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51156-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000036377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:22.633{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local51155-truefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000036376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:22.633{C64CDE3E-1CE6-6227-1600-000000003602}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local51155-truefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000036375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:21.799{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51154-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000036374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:21.799{C64CDE3E-1CF7-6227-2800-000000003602}2856C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51154-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 23542300x800000000000000036373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:25.104{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09BAFCC84FDBE899FB3192F5010B71FD,SHA256=25F068984DF546449B940C92546A2D77B63786773E30ECFFB9EA24B021EDE8FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:26.056{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E32CAE9B52967ABED30B97FB590A2759,SHA256=AD8FAAAB71131B3AF5F5FF0483DA1133ED8870320B7EC9F51162E9E3A25457DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:26.771{C64CDE3E-2F52-6227-6C08-000000003602}39561040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:26.591{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2F52-6227-6C08-000000003602}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:26.588{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:26.588{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:26.588{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:26.588{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:26.587{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2F52-6227-6C08-000000003602}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:26.587{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2F52-6227-6C08-000000003602}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:26.586{C64CDE3E-2F52-6227-6C08-000000003602}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:26.307{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B81CA150BCBCAB0C7C6B2CA900E1100,SHA256=060BC1BC7D3EC9A6596AF6B4396E95617B15FE003CBAF6E37405B17CF2DA6F34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:26.237{C64CDE3E-2F52-6227-6B08-000000003602}27006424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000036395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:22.751{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51160-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000036394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:22.739{C64CDE3E-1CE1-6227-0100-000000003602}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local51159-truefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local445microsoft-ds 354300x800000000000000036393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:22.739{C64CDE3E-1CE1-6227-0100-000000003602}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local51159-truefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local445microsoft-ds 354300x800000000000000036392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:22.734{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local51158-truefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local49666- 354300x800000000000000036391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:22.734{C64CDE3E-1CE6-6227-1400-000000003602}1068C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local51158-truefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local49666- 10341000x800000000000000036390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:26.037{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2F52-6227-6B08-000000003602}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:26.037{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:26.037{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:26.037{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:26.037{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:26.037{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2F52-6227-6B08-000000003602}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:26.037{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2F52-6227-6B08-000000003602}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:26.038{C64CDE3E-2F52-6227-6B08-000000003602}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:27.342{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29BE5318B371EC9BC856ECD26776C316,SHA256=FA3FD77C425F67151A06A433D6C3440062045794543DBD3ACB976C512024246A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:27.056{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=503158B6681CE9E37736059768C9A54B,SHA256=00696E7E85E50E21A90CF164E9240011B6DE2ABA87F471276756BEC5BEAB1A8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:27.194{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2F53-6227-6D08-000000003602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:27.194{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:27.194{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:27.194{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:27.194{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:27.191{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2F53-6227-6D08-000000003602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:27.191{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2F53-6227-6D08-000000003602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:27.190{C64CDE3E-2F53-6227-6D08-000000003602}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:27.039{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B381FB94EBC55498F23197B2A1E0308,SHA256=214F14D363970BA034F221E1EBAF89DC700F29F6D3C34CA5E497D5D48C25AB8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:25.388{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50464-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:28.071{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE558E5B5857CBB1540ACBEA5537C2A,SHA256=0D5A29B2CDD2FB623A018796E1744B4EAE0188887F25157A1F0820931201BD03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:28.345{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E63C14833489C2F43699EE1F1095E3A,SHA256=6D0EDF1ADF88C0B95CD66E052157EF6057DAFFFA0B3B30CE2F1350040A28AA6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:28.213{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49D091057B8443E8F5D87F4ED5DC54E5,SHA256=6EEA02693EC8C3966611056624435B5FB1B7E73EF77B3735B5EEBB840B64C4BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:29.087{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C5F579B14A3BBC0E894400D9C78C3A3,SHA256=52D970DE2143C4473FD49FECFE9F19279AC516717706F5E326DDCAD1DB46027B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:29.414{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6664636B763D64E08AC3D5A1AFB07ED,SHA256=7EE33E96A102BD287C451E0104F9DE049748ED53FADDBA09294292814C4C7D19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:30.118{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D49FDC358F6ECA3739312DB5E6CD714E,SHA256=8D625EF94EA424D2CD7465F0F7FB765AD45A5AC006FA6BF53997E39FEC3E033D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:30.417{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B568BE44688911FCBEBA82654392FD,SHA256=7BF5B90268B16396EB348195A7094B0C90B100F8FE837F201432B1B213861BD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:31.165{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C088DD0791090B4C88E474054411DF7D,SHA256=1129AF15A731D39195CB11BCD7BA8A193ABB0767D226009A9CFD9FC0848F4739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:31.433{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C1103236565B8B0C805B064DB24ACD,SHA256=FBB49C638B17160CF0599A3A5469E5B89D8B8915E08E4F51E0D70FD8DB6B145A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:32.399{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604399AAF303A50D9ECFC68F3C6C9613,SHA256=C859D5CEE21C105EEBC318D53A4504563189823BC2F72AA2F1131C4EA1E65B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:32.448{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C113EFB5A4C67019B34F69481CF278B1,SHA256=CF4A192E927383BD33ECB4361B52AACF00C05704ECB91FB341126223530BD276,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:28.664{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51161-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000019200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:30.512{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50465-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.587{DCBFC465-1FE0-6227-1200-000000003702}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BBA5BA897E42011958193A12E108A408,SHA256=6D81C933DCFEBB58B652C00FD6C9147D2D239652278EB3C521A2E1E642704345,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.571{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2F59-6227-8905-000000003702}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.571{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.571{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.571{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.571{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.571{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.571{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.571{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.571{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.571{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.571{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2F59-6227-8905-000000003702}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.571{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2F59-6227-8905-000000003702}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.572{DCBFC465-2F59-6227-8905-000000003702}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.415{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BFDC5F351DA4611106EE608DAC6A247,SHA256=2C68E454F78E58098D0F5CA6C0E4622B74818734AFE5F5FC19D99FE54F425EBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:33.479{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA507BD3DA43948E967A2A81938E9787,SHA256=E8885E0C954042CC47879EF2982D819FD0150F660372964FAF2C483A9451272C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.290{DCBFC465-2F59-6227-8805-000000003702}29883536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.072{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2F59-6227-8805-000000003702}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.072{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.072{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.072{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.072{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.072{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.072{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.072{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.072{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.072{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.072{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2F59-6227-8805-000000003702}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.072{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2F59-6227-8805-000000003702}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:33.072{DCBFC465-2F59-6227-8805-000000003702}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:34.446{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC260D0BB6183E534D1CCF17FD347A81,SHA256=303BA30B734D465F62448EAA2595AB4F14ACED6282AD67D5A944E1FCE33A6916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:34.516{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC2C0BD0EE3D0433AC941B89CDF667DF,SHA256=0E5D4985535A28E57098F3C01609AB06FC47E26AA80CB0576F67A93708A50FD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:34.118{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=483FE1C65D19B822B78AF0D01E7F0C45,SHA256=962F9D420A3ACCB932AF4188FC3AF41051CFAACC9A650D029ABC311F88576B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:34.118{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=442076D3E17C4713A8B1CAC516632E61,SHA256=68C8835BC16548CF2052F33411C1A388745F773D267E226F6971B5649AAD4DF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:34.395{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\glean\db\data.safe.binMD5=92E58372888A0CC95173B19EE33D605B,SHA256=5606A5157F037B22281C4D19AFF753659C698647B63CD05A06C6FB2A1B10A5D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:35.696{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4274423DA31E7177511C0655D6D4F7D4,SHA256=9A35120BA75CE8694A2478A88FA428851A8E3A5CE87496DB068F71CA0D790CE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:35.931{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F10EA8CEDE68DBAB1C5420347520F9B,SHA256=33DB0D0E32DEA936C0991E0876B6BFE8BAB2DC0E24CCB187F860461871E5B906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:35.924{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=180130C19E7D7F09193892FBAFF98C35,SHA256=30FB1122A9EF5AE66A396D9892606FD1D2ECCCBCA5524AE4A5E7D3F78E011567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:35.523{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA988D24F2625FD8504C252445A0A893,SHA256=BD5874FDE0D883124094A647A04773F5AE23046765F9489E2659050BBE960A31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:35.602{DCBFC465-2F5B-6227-8A05-000000003702}4924008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:35.118{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2F5B-6227-8A05-000000003702}492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:35.118{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:35.118{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:35.118{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:35.118{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:35.118{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:35.118{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:35.118{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:35.118{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:35.118{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:35.118{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2F5B-6227-8A05-000000003702}492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:35.118{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2F5B-6227-8A05-000000003702}492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:35.119{DCBFC465-2F5B-6227-8A05-000000003702}492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019246Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.838{DCBFC465-2F5C-6227-8C05-000000003702}37763428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:36.699{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:36.699{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:36.699{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:36.677{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:36.677{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:36.677{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:36.677{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:36.530{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0ED4CBECCA0F66AAC71FDA551F3F0C,SHA256=1623CFD90B69B7EAD876901DCD052A78C9C585ABE9EB128D0827A5B9E5657045,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019245Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.509{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2F5C-6227-8C05-000000003702}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.509{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.509{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.509{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.509{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.509{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.509{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.509{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.509{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.509{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.509{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2F5C-6227-8C05-000000003702}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.509{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2F5C-6227-8C05-000000003702}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.510{DCBFC465-2F5C-6227-8C05-000000003702}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.118{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=483FE1C65D19B822B78AF0D01E7F0C45,SHA256=962F9D420A3ACCB932AF4188FC3AF41051CFAACC9A650D029ABC311F88576B8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.009{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2F5C-6227-8B05-000000003702}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.009{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.009{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.009{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.009{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.009{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.009{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.009{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.009{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.009{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.009{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2F5C-6227-8B05-000000003702}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.009{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2F5C-6227-8B05-000000003702}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.010{DCBFC465-2F5C-6227-8B05-000000003702}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019263Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:37.852{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4B8B77AE929955F3F1D3A2CBDEF0B89,SHA256=FF00A2FE8A5221DFC12E0FF80D23D065D0053D9D4ED134B49FA20AA289E9F499,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:37.996{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:37.996{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:37.996{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:37.995{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2F5D-6227-7008-000000003602}4444C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:37.995{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F5D-6227-7008-000000003602}4444C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:37.995{C64CDE3E-2F5D-6227-7008-000000003602}4444C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:37.913{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F5D-6227-6F08-000000003602}7024C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:37.913{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:37.913{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:37.913{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:37.913{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:37.913{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2F5D-6227-6F08-000000003602}7024C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:37.913{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F5D-6227-6F08-000000003602}7024C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:37.919{C64CDE3E-2F5D-6227-6F08-000000003602}7024C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:37.898{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F5D-6227-6E08-000000003602}2436C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:37.898{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:37.898{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:37.898{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:37.898{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:37.898{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2F5D-6227-6E08-000000003602}2436C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:37.898{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F5D-6227-6E08-000000003602}2436C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:37.902{C64CDE3E-2F5D-6227-6E08-000000003602}2436C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000036438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:37.545{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFD84AD9F2C43F117AFF2344124C4C6,SHA256=C4B2A5646AA28948FD88C2C5124235BB693E27B5830202348BBA9FE870FF82C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019262Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:37.571{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39ED6E2B16286C1599CA318F54B092E9,SHA256=E7A6B9797CC161FD545DF5AF6664FAAD60DB1FEE92E9C36EC8CD2790F0C41F65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019261Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:37.431{DCBFC465-2F5D-6227-8D05-000000003702}15643824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019260Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:37.275{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0556017AD798A7AFF7066F1646FC4B,SHA256=FDE5C4D5055FDE1C5933BBB7F9E0C7CC13D12C662A497B7A604BDCCEF887F7CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019259Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:37.118{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2F5D-6227-8D05-000000003702}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019258Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:37.118{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019257Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:37.118{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019256Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:37.118{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019255Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:37.118{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019254Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:37.118{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019253Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:37.118{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019252Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:37.118{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019251Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:37.118{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019250Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:37.118{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019249Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:37.118{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2F5D-6227-8D05-000000003702}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019248Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:37.118{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2F5D-6227-8D05-000000003702}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019247Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:37.119{DCBFC465-2F5D-6227-8D05-000000003702}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.972{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F5E-6227-7908-000000003602}5116C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.972{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.972{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.972{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.972{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.972{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2F5E-6227-7908-000000003602}5116C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.972{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F5E-6227-7908-000000003602}5116C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.969{C64CDE3E-2F5E-6227-7908-000000003602}5116C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000036531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.925{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F10EA8CEDE68DBAB1C5420347520F9B,SHA256=33DB0D0E32DEA936C0991E0876B6BFE8BAB2DC0E24CCB187F860461871E5B906,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.925{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F5E-6227-7808-000000003602}5180C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.925{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.925{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.925{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.925{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.925{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2F5E-6227-7808-000000003602}5180C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.925{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F5E-6227-7808-000000003602}5180C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.925{C64CDE3E-2F5E-6227-7808-000000003602}5180C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000036522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.localT1089,Tamper-SecCenterSetValue2022-03-08 10:26:38.888{C64CDE3E-2F5E-6227-7708-000000003602}2556C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealthDWORD (0x00000001) 10341000x800000000000000036521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.888{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F5E-6227-7708-000000003602}2556C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.888{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.888{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.888{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.888{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.872{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2F5E-6227-7708-000000003602}2556C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.872{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F5E-6227-7708-000000003602}2556C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.887{C64CDE3E-2F5E-6227-7708-000000003602}2556C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.841{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F5E-6227-7608-000000003602}6404C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.841{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.841{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.841{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.841{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.841{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2F5E-6227-7608-000000003602}6404C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.841{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F5E-6227-7608-000000003602}6404C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.847{C64CDE3E-2F5E-6227-7608-000000003602}6404C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000036505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.788{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB8140F309245C67D938A39450E30AEC,SHA256=A38F7BF0CFEE014DC102D1E2E374CA520C73076837D33D719F083C279A84EAEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.788{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F50F8A56A87839BDD8579C6999BDB6,SHA256=C2A828798D010FC192F698003CF09B2745B201A753AFC31E6267B1454661DAEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019277Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:36.325{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50466-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000019276Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:38.196{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2F5E-6227-8E05-000000003702}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019275Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:38.196{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019274Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:38.196{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019273Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:38.196{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019272Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:38.196{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019271Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:38.196{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019270Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:38.196{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019269Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:38.196{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019268Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:38.196{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019267Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:38.196{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019266Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:38.196{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2F5E-6227-8E05-000000003702}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019265Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:38.196{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2F5E-6227-8E05-000000003702}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019264Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:38.197{DCBFC465-2F5E-6227-8E05-000000003702}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.370{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F5E-6227-7508-000000003602}6756C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.354{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.354{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.354{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.354{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.354{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2F5E-6227-7508-000000003602}6756C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.354{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F5E-6227-7508-000000003602}6756C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.363{C64CDE3E-2F5E-6227-7508-000000003602}6756C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v shutdownwithoutlogon /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.323{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F5E-6227-7408-000000003602}6652C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.308{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.308{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.308{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.308{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.308{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2F5E-6227-7408-000000003602}6652C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.308{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F5E-6227-7408-000000003602}6652C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.317{C64CDE3E-2F5E-6227-7408-000000003602}6652C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 354300x800000000000000036487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:34.693{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51162-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000036486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.270{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F5E-6227-7308-000000003602}4768C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.270{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.270{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.270{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.270{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.270{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2F5E-6227-7308-000000003602}4768C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.270{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F5E-6227-7308-000000003602}4768C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.270{C64CDE3E-2F5E-6227-7308-000000003602}4768C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.239{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F5E-6227-7208-000000003602}5916C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.223{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.223{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.223{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.223{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.223{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2F5E-6227-7208-000000003602}5916C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.223{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F5E-6227-7208-000000003602}5916C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.233{C64CDE3E-2F5E-6227-7208-000000003602}5916C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.201{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F5E-6227-7108-000000003602}3856C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.196{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.196{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.195{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.195{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.194{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2F5E-6227-7108-000000003602}3856C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.194{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F5E-6227-7108-000000003602}3856C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.194{C64CDE3E-2F5E-6227-7108-000000003602}3856C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:37.998{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F5D-6227-7008-000000003602}4444C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:37.996{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019279Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:39.213{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23CF3DA19A055140E33F0097F816BB8F,SHA256=73C02A362CB15EBE6A6187CD0573B5A8EACCDF17ECFC74B428CAEBE99DB7C0D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019278Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:39.009{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E24E991D4AC368781276FBED6A3EE00,SHA256=7F16DE0246FD32E52D5F53A35E1825C59C05FC3D2BFADDA0DC55B08C8390D493,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.987{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F5F-6227-8608-000000003602}7012C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.972{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.972{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.972{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.972{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.972{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2F5F-6227-8608-000000003602}7012C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.972{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F5F-6227-8608-000000003602}7012C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.983{C64CDE3E-2F5F-6227-8608-000000003602}7012C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /t REG_DWORD /d 1 C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000036640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.972{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94C0AAACD32DF745E197A96D1FC4D43E,SHA256=CC2EE1F8D18FEB02EA57CDB59E3E5370C7C90DA2BAB8957A3884F2A0334BBF11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.941{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F5F-6227-8508-000000003602}2504C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.925{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD20546B126C20E92709CD01C7D4A55C,SHA256=26F336D923F23F4E97535E4C8C36D66593B156E976B2FABA7E0C478189E857F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.925{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.925{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.925{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.925{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.925{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2F5F-6227-8508-000000003602}2504C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.925{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F5F-6227-8508-000000003602}2504C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.925{C64CDE3E-2F5F-6227-8508-000000003602}2504C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoThemesTab /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.909{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F5F-6227-8408-000000003602}6408C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.887{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.887{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.887{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.887{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.887{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2F5F-6227-8408-000000003602}6408C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.887{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F5F-6227-8408-000000003602}6408C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.900{C64CDE3E-2F5F-6227-8408-000000003602}6408C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v TaskbarLockAll /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000036622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.872{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34644FCBDB37F0E788DD8B08AB9208C3,SHA256=F51787E8160B78322447E315E519BFD7407524806E08F7E66E15EE5003A0269B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.856{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F5F-6227-8308-000000003602}4404C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.856{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.856{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.856{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.856{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2F5F-6227-8308-000000003602}4404C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.856{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.856{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F5F-6227-8308-000000003602}4404C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.858{C64CDE3E-2F5F-6227-8308-000000003602}4404C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.825{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F5F-6227-8208-000000003602}3880C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.809{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.809{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.809{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.809{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2F5F-6227-8208-000000003602}3880C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.809{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.809{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F5F-6227-8208-000000003602}3880C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.820{C64CDE3E-2F5F-6227-8208-000000003602}3880C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.809{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F5F-6227-8108-000000003602}6416C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.809{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.809{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.809{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.809{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.809{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2F5F-6227-8108-000000003602}6416C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.808{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F5F-6227-8108-000000003602}6416C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.808{C64CDE3E-2F5F-6227-8108-000000003602}6416C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 0 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.787{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F5F-6227-8008-000000003602}4964C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.787{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.787{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.787{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.787{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.787{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2F5F-6227-8008-000000003602}4964C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.787{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F5F-6227-8008-000000003602}4964C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.792{C64CDE3E-2F5F-6227-8008-000000003602}4964C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000036589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.540{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7924E71D5DC9C9405F600436F27A8214,SHA256=1FB32D55BF01A2640EB38D79529A8C78DA9284E18F81C857D19DDC81ADA18F69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.440{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F5F-6227-7F08-000000003602}4740C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.440{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.440{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.440{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.440{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.440{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2F5F-6227-7F08-000000003602}4740C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.440{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F5F-6227-7F08-000000003602}4740C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.450{C64CDE3E-2F5F-6227-7F08-000000003602}4740C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.409{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F5F-6227-7E08-000000003602}4392C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.409{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.409{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.409{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.409{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.409{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2F5F-6227-7E08-000000003602}4392C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.409{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F5F-6227-7E08-000000003602}4392C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.410{C64CDE3E-2F5F-6227-7E08-000000003602}4392C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.372{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F5F-6227-7D08-000000003602}5172C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.372{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.372{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.372{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2F5F-6227-7D08-000000003602}5172C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.372{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.372{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F5F-6227-7D08-000000003602}5172C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.372{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.379{C64CDE3E-2F5F-6227-7D08-000000003602}5172C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 12241200x800000000000000036564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.localT1089,Tamper-SecCenterDeleteValue2022-03-08 10:26:39.356{C64CDE3E-2F5F-6227-7C08-000000003602}4588C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth 10341000x800000000000000036563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.356{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F5F-6227-7C08-000000003602}4588C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.340{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.340{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.340{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.340{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.340{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2F5F-6227-7C08-000000003602}4588C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.340{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F5F-6227-7C08-000000003602}4588C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.351{C64CDE3E-2F5F-6227-7C08-000000003602}4588C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.325{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F5F-6227-7B08-000000003602}3208C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.309{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.309{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.309{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.309{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.309{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2F5F-6227-7B08-000000003602}3208C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.309{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F5F-6227-7B08-000000003602}3208C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.321{C64CDE3E-2F5F-6227-7B08-000000003602}3208C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.009{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F5F-6227-7A08-000000003602}4796C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.988{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.988{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.988{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2F5F-6227-7A08-000000003602}4796C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.988{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.988{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:38.988{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F5F-6227-7A08-000000003602}4796C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:39.001{C64CDE3E-2F5F-6227-7A08-000000003602}4796C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000036706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.956{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A37C0EFBE5E60FAC62F8572C212F7F,SHA256=4CFE1A40BEB98E1C4E58FDCEA674462538612AA78AED94D94E72E9B61BDD1654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019280Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:40.009{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73AC89FF3C63B8458A8E256CD1F49A95,SHA256=DFB7C7F831DA7E666FC366FFA1DE6A3F974BD204AA4869195F8D4A280973A4B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.606{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC0ADB1D17BC8EC483B7A400A7FA2E3,SHA256=C8CAE60EDE028A5CC548015F05E17A4A507FF4A3CD96A480001DFECF574EE364,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.509{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F60-6227-8D08-000000003602}700C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.488{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.488{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.488{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.472{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.472{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2F60-6227-8D08-000000003602}700C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.472{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F60-6227-8D08-000000003602}700C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.485{C64CDE3E-2F60-6227-8D08-000000003602}700C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.441{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F60-6227-8C08-000000003602}6360C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.441{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.441{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.441{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.441{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.441{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2F60-6227-8C08-000000003602}6360C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.441{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F60-6227-8C08-000000003602}6360C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.446{C64CDE3E-2F60-6227-8C08-000000003602}6360C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoThemesTab /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.425{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F60-6227-8B08-000000003602}1184C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.409{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.409{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.409{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.409{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.409{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2F60-6227-8B08-000000003602}1184C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.409{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F60-6227-8B08-000000003602}1184C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.423{C64CDE3E-2F60-6227-8B08-000000003602}1184C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v TaskbarLockAll /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.409{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F60-6227-8A08-000000003602}2588C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.409{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.409{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.408{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.408{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.408{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2F60-6227-8A08-000000003602}2588C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.407{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F60-6227-8A08-000000003602}2588C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.407{C64CDE3E-2F60-6227-8A08-000000003602}2588C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.272{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F60-6227-8908-000000003602}3708C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.272{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2F60-6227-8908-000000003602}3708C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.272{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.272{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.272{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.272{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.272{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F60-6227-8908-000000003602}3708C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.280{C64CDE3E-2F60-6227-8908-000000003602}3708C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.240{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F60-6227-8808-000000003602}6244C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.240{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.240{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.240{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.240{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.240{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2F60-6227-8808-000000003602}6244C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.240{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F60-6227-8808-000000003602}6244C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.249{C64CDE3E-2F60-6227-8808-000000003602}6244C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.225{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F60-6227-8708-000000003602}4760C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.225{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.225{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.225{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.225{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.225{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2F60-6227-8708-000000003602}4760C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.225{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F60-6227-8708-000000003602}4760C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.236{C64CDE3E-2F60-6227-8708-000000003602}4760C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000019281Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:41.227{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1ED07C6AC8C8C1B37CBC1A7CF344CF3,SHA256=5D48A2958D856DFD18B5AFD09F9BC014651175B20AAD7A00CBC2A5914A7139D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.072{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}4924C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.072{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.072{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.072{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.072{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.072{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2F61-6227-9208-000000003602}4924C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.072{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F61-6227-9208-000000003602}4924C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.077{C64CDE3E-2F61-6227-9208-000000003602}4924C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoColorChoice /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.056{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F61-6227-9108-000000003602}2776C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.040{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.040{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.040{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.040{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.040{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2F61-6227-9108-000000003602}2776C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.040{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F61-6227-9108-000000003602}2776C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.053{C64CDE3E-2F61-6227-9108-000000003602}2776C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispAppearancePage /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.040{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F61-6227-9008-000000003602}5392C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.040{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.040{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.025{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.025{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2F61-6227-9008-000000003602}5392C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.025{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.025{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F61-6227-9008-000000003602}5392C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.039{C64CDE3E-2F61-6227-9008-000000003602}5392C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.009{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F61-6227-8F08-000000003602}6332C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.009{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.009{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.009{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.009{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.009{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2F61-6227-8F08-000000003602}6332C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.009{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F61-6227-8F08-000000003602}6332C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.015{C64CDE3E-2F61-6227-8F08-000000003602}6332C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000036715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:41.009{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19B84790D3F289AD86762375B7FCACAC,SHA256=A067AB1097045DB9D5BA5371AC39797A6302B8E3261474BB692590006A5B1E06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.987{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F60-6227-8E08-000000003602}1552C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.987{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.987{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.987{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.987{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.987{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2F60-6227-8E08-000000003602}1552C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.987{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F60-6227-8E08-000000003602}1552C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.997{C64CDE3E-2F60-6227-8E08-000000003602}1552C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoVisualStyleChoice /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000019282Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:42.337{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D7FD3EC650C94A001078321EF25504,SHA256=5160C731B463E0BED12A0395B8CD2146BD31741B645D7C12F6C7843EBE9DAEC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.292{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F62-6227-9708-000000003602}2804C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.292{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.292{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.292{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.292{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.292{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2F62-6227-9708-000000003602}2804C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.292{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F62-6227-9708-000000003602}2804C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.292{C64CDE3E-2F62-6227-9708-000000003602}2804C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoColorChoice /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.245{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F62-6227-9608-000000003602}4276C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.245{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2F62-6227-9608-000000003602}4276C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.245{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.245{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.245{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.245{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.245{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F62-6227-9608-000000003602}4276C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.248{C64CDE3E-2F62-6227-9608-000000003602}4276C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispAppearancePage /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.213{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F62-6227-9508-000000003602}7112C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.192{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.192{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.192{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.192{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.192{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2F62-6227-9508-000000003602}7112C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.192{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F62-6227-9508-000000003602}7112C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.206{C64CDE3E-2F62-6227-9508-000000003602}7112C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.192{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F62-6227-9408-000000003602}1556C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.192{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.192{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.192{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.192{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.192{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2F62-6227-9408-000000003602}1556C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.192{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F62-6227-9408-000000003602}1556C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.192{C64CDE3E-2F62-6227-9408-000000003602}1556C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000036757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.177{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F62-6227-9308-000000003602}5928C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.161{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.161{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.161{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.161{C64CDE3E-1CE6-6227-0C00-000000003602}8246816C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.161{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2F62-6227-9308-000000003602}5928C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.161{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F62-6227-9308-000000003602}5928C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.169{C64CDE3E-2F62-6227-9308-000000003602}5928C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoVisualStyleChoice /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000036749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.161{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFA56A961336C15F1569761F7811CEE9,SHA256=7F7C6BFE955C6541ED889FA52DA1FDADB1D2E1CD207AE80484A68719F21B1E1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:42.161{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12A6D39A101F6CD8396EF3379951C45C,SHA256=961484674E8563D718BD1C72E666437AD695D80B36E727C830C113CDC99D9E50,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019284Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:41.356{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50467-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019283Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:43.399{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE4B8575D3CDD42CC4E107110619AED,SHA256=1AA0B7FF8092A886156F8B5840F18150B2C113B559D80E6184685B4852351BE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:43.929{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:43.929{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:43.929{C64CDE3E-2013-6227-1602-000000003602}17406608C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:43.913{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:43.913{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:43.913{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:43.913{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-292B-6227-FA06-000000003602}4996C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000036792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:40.691{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51163-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:43.292{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E312572FC8B7BEEA59B6C5F841C0C7,SHA256=F78E24EB78876E04A52EF41D0BA0E3C4B94A87CED7A840E5B96C8A930B3872C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:43.176{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C95E5BD5FE1022A2EB1036468D8E42E,SHA256=C88C57DAF49B500BA1A30386AC85B452E48371392C333041082B0C36EA81F5DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019286Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:44.587{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E56AF6F1634A5B95734018BBC902A48,SHA256=3614894DFFBBD1D832F0242C7969581292CAF83E8AAFF9EBFC08AEB9370A2D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:44.177{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60053926CE0265A94E53AC4FD5FB55B3,SHA256=325A9AF9FF7771C9C41B0F4B31A058AF6F602FA5DFD6656C3E04064284E44737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019285Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:44.337{DCBFC465-204C-6227-9900-000000003702}3048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019288Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:43.575{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50468-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000019287Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:45.821{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9813787942A13DF62D46E41D843EA955,SHA256=B1A3223A6856C07DE132E511F35BAA1F2398683B21D9A6F7F6C933E9D3931115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:45.192{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC713DEE04716FF2EEE7480AD085D0B,SHA256=DA1359DB6E597FA76FADD326BDB508F2FE3AC5DA87034083BCE005E11D28D270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:46.210{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE165337B5E11E3D85FDAC2F642F290,SHA256=E3BE1F04B4C6AE0A3F0BCA9CC13DC6C9889E4A0A0A2FC8C009BC16B48C0B2D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019289Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:47.056{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7431052292767C1CE3ECA12E5A6A1DF0,SHA256=B58E6242FF8E3C54D4FB290DDCE863BF1DAEC4A148440821EA50361E565083C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:47.231{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B9594A5437BD171C548D98FCDFE32F,SHA256=15EE33E246D1D21C4F38B526B4AEF954DD49896350764E7B4F2C428D244C75BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019290Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:48.291{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68B4293363DE5B7C264D6BEE39C24A5,SHA256=BFC8DFC4C400496766A93D07BDF43DC4AE059C7848F353E404B033D00D638FDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:48.261{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A77951BAF8FDB89155019B7C655101,SHA256=5F844A52CF987B2A6D80BD443C901C578586FE7BE7C57EA91665C0C57C596F50,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019292Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:47.279{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50469-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019291Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:49.306{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7302BFAC2AB728B01469EE7342592084,SHA256=DFE7A1421A7DD440EA58BBB67C6E2CE468EBAA416F8C947EF168F68D6B811D4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:46.606{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51164-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:49.311{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C368B2185B16C17F920AFB00013FAA,SHA256=ADF408A5803FC4174BCFC05BEDAB962B76347B84474FB3FC30918539D4D46CC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019293Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:50.416{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA82BE6C1EA05519B8DF1654F424607,SHA256=5855C864A9BE087823AEB230506F2E94805E850E825D4016CAA5B278A56C5B4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:50.333{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69874244E109605AEE7A6094C1704E25,SHA256=66615442CB6EE74F27848348DEC459EE04D79A2293A6A343B6712B45EDEF9C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019294Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:51.416{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B891F2EFDD95870FC13F2BFC3029C58A,SHA256=281BBDE30A3C3D2CC7A4E993ACD0C783153025C2B91E8010BCF93CF621FF6781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:51.349{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A387FED76C9F780799928BF54F07BD59,SHA256=26ADAC7117482848A3246AB2ABBCE0ABF5DF6DD649195C2AA3698C0698292D09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019295Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:52.431{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FC5860111961DA70AA2C51471EAA350,SHA256=05FDCAEA4EE24B022E12842E4BDB97DE3EBE4FEC1B3890D68BB50494294A92D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:52.365{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC6436CBE3070768D6D5C4CEC5D6BFD,SHA256=2324B8E07E7ECEBB66141401EA7D7537A9A4C99F11C4DDAED025A0BE22A011AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019296Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:53.447{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC47DDF9BB45437A82A0F45C937F524F,SHA256=CF116EC23DA8BC8BDC7286B297BC6A1DDA6D97CE2F02F79C9E8F26F6A06035CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:53.380{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B40D3B6ABF55B6ED5C71DDD06C72FC,SHA256=361FEC8D36B6FCE94EAAFC0F4BA2555AB189F14CD2CFC173EE1BD211131BCF33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:53.011{C64CDE3E-1CE6-6227-1000-000000003602}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0620398A69237F438A35A0BD8A011950,SHA256=2205DD35D3B57840D9151B47321B8ECA0CC1F6A2BE89DEB5270258AE45C865A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019297Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:54.463{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45F51BD952BAD314ACEFB8695DA33EC8,SHA256=26DC7C311035FD880373B9D02AB5A9AA1608BAE413D0B4B424C91CD170E4AE91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:54.383{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=614853274C1189060609E9D8B3D971A9,SHA256=91B75E46E5ACA68E87D969F02660AC607417D9A30D9A6236763A1CB941CDF2C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019299Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:55.478{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=651783C318A3682652DA628DD5011609,SHA256=4CC79684FBD9351DFECE498A7079B57CE9D09E8F53B41AB05BFA6F426B9A5972,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:52.624{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51165-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:55.383{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E7F8E37724019B70F1553C26FA24338,SHA256=964B0F9CD09D99272C7F4D5E3B7A466CFEF06CE81E8ECC17451857C19CDB7DE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019298Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:52.451{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50470-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019300Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:56.478{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92CD38E97DE80D8BF6B632DA27D12B17,SHA256=0711ED3B39A4E4A38AE570C728B82A1C85580EEB20A13B3F0A0BDEF2811E7FB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:56.398{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C643D1DDE1472370825AD1095ADF7D,SHA256=2EA97E7FF809D7F42957EDCFCF8BA9884BD68910D644FFB1EE43864AFCAC28A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019301Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:57.478{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4ACE66806D35EC27BBD8BDC2E531B48,SHA256=3C4F27C21BEB66CF19CBA2A323A6903C77077A40E42D01D186C2FB062ECD14A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:57.413{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=755BAA74C392A67F2D622DFDA4C9F55D,SHA256=3C0D221B8FA3FD47EF4CA47251F66054F37D0F9DA2F063CFA5DC6F18C1E6DC90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:57.351{C64CDE3E-292B-6227-FA06-000000003602}4996ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=8D5DEE7FC1509D3CC1B90A3A2CFC3FA9,SHA256=1D713C66586D9533A1AF910873E348E78E09F7C138DA4DA3D2E2BA1BABA5EC05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:57.135{C64CDE3E-1CF7-6227-2B00-000000003602}2896NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019302Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:58.478{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=569B8AC966DE9B0FA1EE75F597092618,SHA256=EB64CA6E7DF9668383E6AD6B0E10610D7C2D824FB06DC4A5D073B7C000EDD836,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:55.658{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51166-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000036819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:58.481{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8661F93F393C56B43E9C52737EF919A,SHA256=C7DEF77A6EE661F737512FAA27248C0295C07866D23A4645B8DCF4EBFC6BADCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019303Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:59.478{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546A914FB3C1E578161A9421378450C9,SHA256=BCDB8CB9A86DE8B1288ADEB75DF8B810B2EE8437BACD27EC3F8DB79FE143478E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:59.497{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F50048E4BC0AEC8CBB80BD7E3567CB9,SHA256=EABFFD74376A1220E370395185F4FB2A3475F07A991220A80DA65E9E34F19FFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019304Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:00.494{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB0C44A1C02C2CD3AFC26C92E8CDEC2,SHA256=0FFE5D08DB4E543338DE8A4B9C50E91D2810C67C7AE8E88A6BB4533AADABC325,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:26:57.673{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51167-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:00.499{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9F4B52B962813735E4D7A5514D7F57,SHA256=5B872BACE19409C9B9991A94BABA1F931B83EFFB1A320E22436C1744281A3DDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019306Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:26:58.294{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50471-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019305Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:01.509{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2E93D89AABB4331915D374236F4289,SHA256=34D19DBC063F8188976A0E843E386D3A80E3B5845FBD3968B97DD7C5675DBF0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:01.531{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D8AF49EF38E0CCE82A67BB8F20DFDEE,SHA256=CCFCE76B49107F6FC2E9D20F5B3C3ECA16DF3449C665DD2EF3FC54824B79F1A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019307Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:02.509{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF826A87CBC487BC123C540FBAB0A49A,SHA256=A413EF03691FD888BCC9702EA851835C0270030ED297D731ED07A0B880C51A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:02.567{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656837B56CC795665D5CF73ADA55CA1C,SHA256=722FF724452F9725925BE0A40703E5DAA8A747FDC0983A476EBB64093C578C64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019308Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:03.744{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B83A354155CB2B7D60BFE64B4D3B01E,SHA256=8181F3B4921E30DBA1643F47FBA25FAEE4FB1BE6EA5D1F57A406C5161943B89E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:03.598{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2516B0D5DF888BB7CDA2D99A89F96F9D,SHA256=D7F414C2EBCDDA42BE8133E9A7FBEB7E0FB7FF7FA39AA2B44717824704E535B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019309Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:04.775{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE38311E556E2D44D43205EBCCE06BB,SHA256=F339BA446BE9BBF53348CDA18889A8F66DA1E9029386FA511579F2C73FB752FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:04.613{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7E3E5750C4DEE2222363F185A3BFD1,SHA256=15850619A73DC5ED1AE3B00CDBADDEF0206C224252983E578B8E9D31459D6808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019311Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:05.791{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C005CB7CC388193B8FBD1D7156C64B77,SHA256=6617BA86C0EB6CB76CADD79671BF58B7A40DCE2E07BA1B606D11246E517660C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:05.615{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B6A5BE8E9AD28475E4D614909BA7C0D,SHA256=EFA01312695BBB4E208AA226AA69D35AF48B8075544D5C4F40D1F6F69F32BDA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019310Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:03.482{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50472-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019312Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:06.822{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E7FB7C7CAECD6F3650CEC76A394827A,SHA256=598C98F2E75C4E4C9128FD233247D9CF15EF2B64BCB64875E6B839E4F06F2880,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:03.658{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51168-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:06.624{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10740175F974EA1EF7410E38B9226F46,SHA256=A9135AE18B8F0CB321AE8D3052EC46EC1CC7A6A2E5BA3DD9CBF01BD0348B746B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:07.809{C64CDE3E-292B-6227-FA06-000000003602}4996ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-03-08_102657MD5=CFFDEBCF0F9ED47D579B1030A0161477,SHA256=5763B3BE5DB2492A07BCF841652E52321A394CE5398878AA2BD2744888149F37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:07.793{C64CDE3E-292B-6227-FA06-000000003602}4996ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=A35E8C7609A18E38BBD6CFD469D2F1C6,SHA256=04596B4666E74A2242E4EBBD3CC5E0DA16F808A47E6C3C4CCE6C4BD2FE3DA95C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:07.624{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47B09AD6F10855D26A43E1AC7B974B1F,SHA256=56A5A70DCA134B64F23BF7C0065F17B640D16ED610F302417DC75EA8049E66BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019313Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:08.052{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F68A46D23A3C61F5653BBDD113E755,SHA256=EEC355829081FEAE97B9D514B037C2F4A25D5ECDA9668FDDD5945037EFE257A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:08.661{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BA57B6DD3840E04982D92B65A5478F,SHA256=D30D1F26B7AC3C2E271B1252506360739368BB14FD7330E4F4C300619989C465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:08.064{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\respondent-20220308090810-076MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:09.676{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5816A0791D5AF110D7C7490DF62EC235,SHA256=469E0ED94C612C32505AA391F68616A5BCEEF7B4CBCD583739B8F4979B04F3C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019314Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:09.099{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C37D0857BF4B5346E8CAA0E4BB4DCB54,SHA256=8FB33EFA82B4ACC5BE9EA90E0F9CFAD55B926B73868AF225174074AB9F12CB2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:09.078{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\surveyor-20220308090808-077MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:10.725{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AAF2023C6844C266004350E75098A72,SHA256=855B3BCB26F448AA745F0ADAC3B30BDA322F9239E3BF4751EB555BC360F7BD66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019315Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:10.099{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5408D358E3727301B0050F4165D3E723,SHA256=BBC0A5EA2A5AADAD01442DA0881865A2D0A3321D276437AE329C4A7E2B554873,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:11.726{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9EB5874FDA0F9F567CD856359584897,SHA256=5F7FFE5F5B3E81A65FB4040CE51995EB5052A7F3823B26EA8A73FC17B198DBF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019317Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:09.323{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50473-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019316Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:11.255{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6FDBB8AE17D89E2AB7D814EFEF80367,SHA256=EE734542D33EEB980079F5BA009FF9D1D3F822A56446A45048B617EB5BBADCEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:11.111{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:11.095{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:11.095{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:11.095{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9207-000000003602}5660C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:11.095{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9207-000000003602}5660C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:11.095{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9207-000000003602}5660C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:11.095{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2D33-6227-9207-000000003602}5660C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019318Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:12.474{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49204E1478B00E3C85DD5D2E975A15C,SHA256=0A391D363AA4250BC78EB1E86B80E2FCCBB070E28E42A494B0938BD0D8191A7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:09.624{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51169-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000036847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:12.745{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=677932EC571132AEA0EB9EEE1C0E5728,SHA256=B0BE47181D59C448CFE9D19EB04980F2A7E7C4F0E010EC568AE9227AB7418B07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:13.763{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94666CF8F97851961A07654E36B46856,SHA256=0546392D47465E3616604758257A51B621ADA737587FC4DE347B376113B137E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019319Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:13.599{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA5650774B439BB87107CC2E63ED5DA,SHA256=E3F1EF72B220F3249B4CD17CE67CBF024FAB1ECE4B89CD0C8AE1CDBE7C724BB8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000036870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:27:13.226{C64CDE3E-2F81-6227-9808-000000003602}3856C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=8371F185827B0AF90EBC77E177D08A054E5C956C1C5FC4BFCAB7E534E91B1723 13241300x800000000000000036869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:27:13.226{C64CDE3E-2F81-6227-9808-000000003602}3856C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 16341600x800000000000000036868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local2022-03-08 10:27:13.226C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=8371F185827B0AF90EBC77E177D08A054E5C956C1C5FC4BFCAB7E534E91B1723 13241300x800000000000000036867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:27:13.226{C64CDE3E-2F81-6227-9808-000000003602}3856C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x800000000000000036866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:27:13.210{C64CDE3E-2F81-6227-9808-000000003602}3856C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x800000000000000036865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:27:13.210{C64CDE3E-2F81-6227-9808-000000003602}3856C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x800000000000000036864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:27:13.210{C64CDE3E-2F81-6227-9808-000000003602}3856C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x800000000000000036863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:27:13.210{C64CDE3E-2F81-6227-9808-000000003602}3856C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x800000000000000036862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:27:13.210{C64CDE3E-2F81-6227-9808-000000003602}3856C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x800000000000000036861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:27:13.210{C64CDE3E-2F81-6227-9808-000000003602}3856C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x800000000000000036860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:27:13.210{C64CDE3E-2F81-6227-9808-000000003602}3856C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x800000000000000036859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:27:13.210{C64CDE3E-2F81-6227-9808-000000003602}3856C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x800000000000000036858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:27:13.210{C64CDE3E-2F81-6227-9808-000000003602}3856C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x800000000000000036857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:13.195{C64CDE3E-1CE4-6227-0B00-000000003602}612816C:\Windows\system32\lsass.exe{C64CDE3E-2F81-6227-9808-000000003602}3856C:\Program Files\ansible\sysmon\Sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:13.026{C64CDE3E-2D33-6227-9207-000000003602}56606028C:\Windows\system32\conhost.exe{C64CDE3E-2F81-6227-9808-000000003602}3856C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:13.026{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:13.026{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:13.026{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:13.026{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:13.026{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2F81-6227-9808-000000003602}3856C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:13.026{C64CDE3E-2D33-6227-9107-000000003602}52841416C:\Windows\system32\cmd.exe{C64CDE3E-2F81-6227-9808-000000003602}3856C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:13.029{C64CDE3E-2F81-6227-9808-000000003602}3856C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{C64CDE3E-2D33-6227-9107-000000003602}5284C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000036874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:14.778{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D54713C555C638148CCD20953329F1,SHA256=B80C04B1A5F2DC60631761A160AF742FC817A2D165EDFA022EB2FD855A2636EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019320Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:14.615{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740BBA5A7C182063C45D2EF503413148,SHA256=882422137949394861A160F583D2CF6D7E425038E06231AADEE080F213983181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:14.045{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98B3F74BF52BE9692D440660420C184D,SHA256=0A1EA41EC99C5BB5AFEE34CB2AD3351D7DAFF46C5DDBE0986F21E363315CF384,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:14.044{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFB72E24B57DB57DA09217387823CC1D,SHA256=EFD3AA61925E5229E9AE86C56899B49DC8D3CCF538418C5E7A3208234019F33E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019322Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:15.618{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B0AAF3BD134771B9F163717A6F4E0A,SHA256=339D7AFB30A9C344DE10B5D2D35F1CE236BFEA7D09BAF4308039704621A791F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:15.878{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:15.878{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:15.878{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:15.878{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:15.862{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:15.862{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:15.862{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:15.793{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D96C1FECFF682CDEFA8E2C62925E68DA,SHA256=484DC60BE819C2CBBA8FC23BF02A5BDFBC34F5C11CED04E7014D94E2D9198AA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019321Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:15.353{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\respondent-20220308092036-064MD5=AD989BA5FC8211C68DEB145594DF29B5,SHA256=A92C9E9F939B5FA1DAF2D9D45D4066E44A16133766F98754DF452EC8E38921ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019325Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:14.354{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50474-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019324Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:16.772{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A7AABA6C0EC526CF2C0789EE786176,SHA256=B4C7A779E3A24A39E1282D084A6C0D20E5C32D5314A05E7CD71ABFF4D0EC9EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:16.794{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D52E37FF04E27891FC47728D166E144,SHA256=1DBC69DA6537D60FAB51E4EA24FEF590CB3A297891EDF0BD59A242EDE22B12DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019323Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:16.354{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\surveyor-20220308092033-065MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019326Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:17.806{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FAB0886BD7B87B39EBEFAE40A09003,SHA256=FDC4F4C58A33F496FAE4D681BF3D7D9C8C8F417ECE6BCFC8E853B907C97A4944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.809{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B88DDDB3E0DD0A078DD660B5080AEF7F,SHA256=EE2736FCC7E1E19B1FD5C14F46C481D8DFCF63ED6062767A2DC52497756FE530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.478{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF91BC8F354E42D743786BF8C4D6651,SHA256=37076DAB6F4BA24EE2DE6CC402EB849F183AED837E5A863D85AAC9E023EF8828,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000036955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:27:17.362{C64CDE3E-2F85-6227-A008-000000003602}4316C:\Windows\system32\reg.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogonDWORD (0x00000000) 10341000x800000000000000036954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.346{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F85-6227-A008-000000003602}4316C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.346{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.346{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.346{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.346{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.346{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2F85-6227-A008-000000003602}4316C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.346{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F85-6227-A008-000000003602}4316C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.357{C64CDE3E-2F85-6227-A008-000000003602}4316C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000036946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:27:17.346{C64CDE3E-2F85-6227-9F08-000000003602}6376C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenuDWORD (0x00000001) 10341000x800000000000000036945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.345{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F85-6227-9F08-000000003602}6376C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.324{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.324{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.324{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2F85-6227-9F08-000000003602}6376C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.324{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.324{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.324{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F85-6227-9F08-000000003602}6376C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.335{C64CDE3E-2F85-6227-9F08-000000003602}6376C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000036937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:27:17.293{C64CDE3E-2F85-6227-9E08-000000003602}5224C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOffDWORD (0x00000001) 10341000x800000000000000036936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.293{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F85-6227-9E08-000000003602}5224C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.278{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.278{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.278{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.278{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.278{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2F85-6227-9E08-000000003602}5224C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.278{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F85-6227-9E08-000000003602}5224C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.285{C64CDE3E-2F85-6227-9E08-000000003602}5224C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000036928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:27:17.262{C64CDE3E-2F85-6227-9D08-000000003602}5116C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCloseDWORD (0x00000001) 10341000x800000000000000036927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.262{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F85-6227-9D08-000000003602}5116C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.262{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.262{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.262{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.262{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.262{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2F85-6227-9D08-000000003602}5116C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.262{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F85-6227-9D08-000000003602}5116C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.268{C64CDE3E-2F85-6227-9D08-000000003602}5116C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000036919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:27:17.246{C64CDE3E-2F85-6227-9C08-000000003602}5180C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanelDWORD (0x00000001) 10341000x800000000000000036918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.246{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F85-6227-9C08-000000003602}5180C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.246{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.246{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.246{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.246{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.246{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2F85-6227-9C08-000000003602}5180C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.246{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F85-6227-9C08-000000003602}5180C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.247{C64CDE3E-2F85-6227-9C08-000000003602}5180C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000036910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:27:17.225{C64CDE3E-2F85-6227-9B08-000000003602}4188C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFindDWORD (0x00000001) 10341000x800000000000000036909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.225{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F85-6227-9B08-000000003602}4188C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.225{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.225{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.225{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.225{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.225{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2F85-6227-9B08-000000003602}4188C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.225{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F85-6227-9B08-000000003602}4188C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.228{C64CDE3E-2F85-6227-9B08-000000003602}4188C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000036901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:27:17.209{C64CDE3E-2F85-6227-9A08-000000003602}6272C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRunDWORD (0x00000001) 10341000x800000000000000036900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.209{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F85-6227-9A08-000000003602}6272C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.209{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.209{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.209{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.209{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.209{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2F85-6227-9A08-000000003602}6272C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.209{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F85-6227-9A08-000000003602}6272C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.209{C64CDE3E-2F85-6227-9A08-000000003602}6272C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000036892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:27:17.193{C64CDE3E-2F85-6227-9908-000000003602}6692C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktopDWORD (0x00000001) 10341000x800000000000000036891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.193{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F85-6227-9908-000000003602}6692C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.193{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.193{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.193{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.193{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.193{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2F85-6227-9908-000000003602}6692C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.178{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F85-6227-9908-000000003602}6692C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:17.192{C64CDE3E-2F85-6227-9908-000000003602}6692C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000019327Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:18.899{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3CAC1C8DF41E8AF8F227595B1FED8F,SHA256=B6E2728F4BDC99C39B87356A3EB9E04A15266AD6653F0C35AA2802242B2CEDCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:18.824{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552C5BA40898A1C6392C457030CEB929,SHA256=2E6242BAB13DA5AFE0A657F459E241692D788BC373A9EC069B63E06BD75445A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:18.245{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98B3F74BF52BE9692D440660420C184D,SHA256=0A1EA41EC99C5BB5AFEE34CB2AD3351D7DAFF46C5DDBE0986F21E363315CF384,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:14.638{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51170-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019328Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:19.993{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE0DDDC5EA9DC3B1AD2B9A0AED54126,SHA256=D118CBFE77AA175330F6D3CAE421D4B9A37C34FB3F1EC897F95D828D7E8A0979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:19.845{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5CD2ABBE22BBBFBE2FD0FCFACB6408,SHA256=2274EB870FC66E98EB96B493D314AFAA729A252E6C80CC14B3612D92A72F59F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:20.977{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2F88-6227-A208-000000003602}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:20.977{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:20.977{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:20.977{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:20.977{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:20.977{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2F88-6227-A208-000000003602}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:20.977{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2F88-6227-A208-000000003602}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:20.978{C64CDE3E-2F88-6227-A208-000000003602}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:20.861{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=778E2D83F50D40FA10513F49934A9DFB,SHA256=D2BC6F2294727F4967F9E2DDBBC80E084CD54580683C45B18434ABFFB1755D62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:20.308{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2F88-6227-A108-000000003602}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:20.308{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:20.308{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:20.308{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:20.308{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:20.308{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2F88-6227-A108-000000003602}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:20.308{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2F88-6227-A108-000000003602}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:20.309{C64CDE3E-2F88-6227-A108-000000003602}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:20.077{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:20.077{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:20.077{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:20.077{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:20.077{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:20.077{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:20.077{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2E0B-6227-0908-000000003602}6300C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:21.892{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51910794F89AC567E2E20A37BC039E72,SHA256=1CCD627B987C14F51C2FE38BAD501B00E05934BFE9F685DF509E0657F196F900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019329Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:21.024{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9FF0B22136CE8112F119C7F1CC7B9E7,SHA256=5186DE3FB97F427D718B6295DC67378E7CD0BD0E7344579F7F417FADB88BDF30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:21.324{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA5660DEEEE5234FB629C04290FF496C,SHA256=684E0B18B757047A28E5977DCB6897185395ABED0CE22C7A7A978874E4E4E61B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:21.193{C64CDE3E-2F88-6227-A208-000000003602}64165232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:22.908{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A253BF53366E9F32A3243E9EC611D66,SHA256=6DB93F1B7687B987C133A978A49A37EEFCAAE3B9E008857AB774EECA84B1AEEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019330Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:22.118{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE9D19A5BE9563B6272D21C77AD1931F,SHA256=FC2AC1A0DCB4DBFCD595FA34E433DE21D4640AC9DBDD6534BE1BCE1B9E1C2451,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:22.708{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2F8A-6227-A308-000000003602}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:22.708{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:22.708{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:22.708{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:22.708{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:22.708{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2F8A-6227-A308-000000003602}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:22.708{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2F8A-6227-A308-000000003602}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:22.709{C64CDE3E-2F8A-6227-A308-000000003602}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000019332Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:20.294{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50475-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019331Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:23.306{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C98A40A73050C0DC4A4F37B4D9B0FA2,SHA256=493BA2A8EB62006D354D7D2C025E3DC510C9A4B5EDA0C299EA2CD040EB1909B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:20.619{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51171-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000037007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:23.986{C64CDE3E-2F8B-6227-A408-000000003602}34325028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:23.715{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=819A631CC4BB0E8CAAEECB15D0DBC63C,SHA256=40A531E0B7EF39B92CDDC954AEA4B3A7F02938A21B976EBC2652004AC2A5E107,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:23.629{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2F8B-6227-A408-000000003602}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:23.629{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:23.629{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:23.629{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:23.629{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2F8B-6227-A408-000000003602}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:23.629{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:23.629{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2F8B-6227-A408-000000003602}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:23.630{C64CDE3E-2F8B-6227-A408-000000003602}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019333Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:24.446{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E7D975E11770BBA98093E4CAC324B5,SHA256=88734300DB572DBA57EE370BDDA25482BB710BBC33A1172CD793F8B9D95D61F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:24.018{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF128440D7C0E8C65D5E65B24C158A1,SHA256=7593FF1986021445E7F4746369AC1D46E999CCF88244C6C5EBB1934B7A4C30FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019334Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:25.478{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56C46FD5E34428183C3EC6F3C329BBEA,SHA256=BC41DEC89A67BB3DC363D30F02249AD268D340E2AE14C376BBC20F777A50A2B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:25.080{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358CA21FFD2BC702B2CD8F9AA579A431,SHA256=E683B57209904827A333B50AE86EF2AA7F81AF1EAA2BEA40FC171F126232396C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:21.809{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51172-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000037010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:21.809{C64CDE3E-1CF7-6227-2800-000000003602}2856C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51172-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 23542300x800000000000000019335Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:26.696{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF0F2305DEAFB3722008CDB87E946A42,SHA256=4E0F69167211011992AC9857030041C9E8554B8EAA3373D45FE6255C3000D264,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:26.720{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2F8E-6227-A608-000000003602}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:26.720{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:26.720{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:26.720{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2F8E-6227-A608-000000003602}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:26.720{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:26.720{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:26.720{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2F8E-6227-A608-000000003602}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:26.720{C64CDE3E-2F8E-6227-A608-000000003602}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000037023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:26.384{C64CDE3E-2F8E-6227-A508-000000003602}37086760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:26.182{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\glean\db\data.safe.binMD5=961A66E27AEDC6B1939D6303D074CB82,SHA256=5D9214391F02BB7668A12213F0953A67BDDADDD0F695578339F3795EB340C959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:26.150{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48904A9E5C011E6B574A4927C476C9E,SHA256=DDB6A6FB2B9987B2C890A77603A48DCBA058DBA503B0F512D6DB8F1DBBEB7DA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:26.048{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2F8E-6227-A508-000000003602}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:26.048{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:26.048{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:26.048{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:26.048{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:26.048{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2F8E-6227-A508-000000003602}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:26.048{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2F8E-6227-A508-000000003602}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:26.049{C64CDE3E-2F8E-6227-A508-000000003602}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019336Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:27.741{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=511F890BB56A70D30A1E497BA3AFCE15,SHA256=99942294227B657EFC23F24670BE69FC8202B96A37721CB6B883932F70DC7708,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:27.404{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2F8F-6227-A708-000000003602}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:27.400{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:27.400{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:27.399{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:27.399{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:27.399{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2F8F-6227-A708-000000003602}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:27.399{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2F8F-6227-A708-000000003602}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:27.398{C64CDE3E-2F8F-6227-A708-000000003602}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:27.155{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D2BCA39F1AADACEBA8E5B565FBD7710,SHA256=E2ACCF134AF83C5AA735331814A45621D6C89499C96DBC950DA241AABD84BEF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:27.050{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BC337A8202BF9994BCD8342F3FBB57C,SHA256=1CE38285634B7742FAD6C30BED5044885C3096E05BB98B808AF835163374B549,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:27.003{C64CDE3E-2F8E-6227-A608-000000003602}11846544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019338Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:28.741{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F0EFF4F5179C8346C031D52873CFF71,SHA256=C335C5D068902DE3F10B166958F3CBE987A133F3FBC15B137B4E4DDBE32356EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:28.805{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:28.805{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:28.805{C64CDE3E-2013-6227-1602-000000003602}17406000C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:28.805{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:28.805{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:28.805{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:28.805{C64CDE3E-2013-6227-1602-000000003602}17405212C:\Windows\Explorer.EXE{C64CDE3E-2DC6-6227-CE07-000000003602}4468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:28.402{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=284D153340DC3C7F77704F7AC2524154,SHA256=D3CCDEF3EDB2314664F6168BBF05FC038DCBAA92CFB420C6C5CF3647530F9BBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:28.166{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A4A06B5F6F402879BA12688DE6B7EE,SHA256=B2F734D9C2EBCB9BA3B76DD68B14BB92B5D8E9F6638C6AFDD15CE1ECFD698A8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019337Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:25.466{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50476-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019339Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:29.741{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F157012F3E7472F5E01963294173BEF1,SHA256=32E013A63D0C64D618889404EFC79FF10E787E9CF58C5C07CF7189FDAEC51B59,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000037097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:27:29.906{C64CDE3E-2F91-6227-AC08-000000003602}496C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose 10341000x800000000000000037096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.906{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F91-6227-AC08-000000003602}496C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.885{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.885{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.885{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.869{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.869{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2F91-6227-AC08-000000003602}496C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.869{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F91-6227-AC08-000000003602}496C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.883{C64CDE3E-2F91-6227-AC08-000000003602}496C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 12241200x800000000000000037088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:27:29.869{C64CDE3E-2F91-6227-AB08-000000003602}5516C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel 10341000x800000000000000037087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.853{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F91-6227-AB08-000000003602}5516C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.753{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.753{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.753{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.753{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.753{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2F91-6227-AB08-000000003602}5516C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.753{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F91-6227-AB08-000000003602}5516C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.764{C64CDE3E-2F91-6227-AB08-000000003602}5516C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 12241200x800000000000000037079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:27:29.723{C64CDE3E-2F91-6227-AA08-000000003602}5984C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind 10341000x800000000000000037078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.723{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F91-6227-AA08-000000003602}5984C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.706{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.706{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.706{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.706{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2F91-6227-AA08-000000003602}5984C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.706{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.706{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F91-6227-AA08-000000003602}5984C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.715{C64CDE3E-2F91-6227-AA08-000000003602}5984C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 12241200x800000000000000037070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:27:29.685{C64CDE3E-2F91-6227-A908-000000003602}6468C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun 10341000x800000000000000037069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.653{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F91-6227-A908-000000003602}6468C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.653{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.653{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.653{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.653{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.653{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2F91-6227-A908-000000003602}6468C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.653{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F91-6227-A908-000000003602}6468C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.655{C64CDE3E-2F91-6227-A908-000000003602}6468C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 12241200x800000000000000037061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:27:29.638{C64CDE3E-2F91-6227-A808-000000003602}4380C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop 10341000x800000000000000037060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.622{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F91-6227-A808-000000003602}4380C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.622{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.622{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.622{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.622{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.622{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2F91-6227-A808-000000003602}4380C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.622{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F91-6227-A808-000000003602}4380C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.625{C64CDE3E-2F91-6227-A808-000000003602}4380C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000037052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:29.167{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF706F32D1FBF21AE07A3D39723FBA4,SHA256=786A7D9AF706E805FB27B9E2B137574FB781602585677CC515BC06EA6E89FE67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019340Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:30.788{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5EBCCF51C54DE1D39161E27502220FD,SHA256=B9D77CB260E7DD08C563C89E3489C8E7E570B07EC5C99FC8CAEEEFA552D9536B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.638{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5281385BB7310CAF4EFF08031E99AF5D,SHA256=5ABB7D79382616918EB62071E7D2136B9C6C3EFA4D4945552B4C7DECC0A3EE3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.206{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE7227CDA90AB0D8E96E6FB44AE743CA,SHA256=0D3DBA78ADA99C3238DDD49EFA0CB6377E50968515442EFFE20A1DEC2645DA29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.185{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40965038DC4CA0773C6D660365FFBBA7,SHA256=5322610A93D56B1830AF6A83153CDAE86C279C70A3B3CD73316E1166B6CF5000,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:26.623{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51173-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000037124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.185{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F92-6227-AF08-000000003602}6580C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.153{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.153{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.153{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.153{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.153{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2F92-6227-AF08-000000003602}6580C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.153{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F92-6227-AF08-000000003602}6580C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.159{C64CDE3E-2F92-6227-AF08-000000003602}6580C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v shutdownwithoutlogon /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000037116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.138{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0889FABD484B5BF2468E55074089999D,SHA256=6A31F990E87DA8040B9E35603D086F08DC988B4EE6C9056606E635190933012A,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000037115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:27:30.138{C64CDE3E-2F92-6227-AE08-000000003602}5056C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu 10341000x800000000000000037114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.138{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F92-6227-AE08-000000003602}5056C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.123{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.123{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.123{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.123{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.123{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2F92-6227-AE08-000000003602}5056C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.123{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F92-6227-AE08-000000003602}5056C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.124{C64CDE3E-2F92-6227-AE08-000000003602}5056C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 12241200x800000000000000037106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:27:30.085{C64CDE3E-2F92-6227-AD08-000000003602}5880C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff 10341000x800000000000000037105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.085{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F92-6227-AD08-000000003602}5880C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.069{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.069{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.069{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.069{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2F92-6227-AD08-000000003602}5880C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.069{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.069{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F92-6227-AD08-000000003602}5880C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:30.068{C64CDE3E-2F92-6227-AD08-000000003602}5880C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000019341Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:31.850{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A76AA2E6BB8B23C5128B4D82D38CC598,SHA256=D2923F1F05CF4ED23F7081558D6E5A5935CA02200D4281B0620CBFC313D43EED,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000037174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:27:31.639{C64CDE3E-2F93-6227-B408-000000003602}6180C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAVolumeDWORD (0x00000001) 10341000x800000000000000037173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.623{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F93-6227-B408-000000003602}6180C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.607{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.607{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.607{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.607{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.607{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2F93-6227-B408-000000003602}6180C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.607{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F93-6227-B408-000000003602}6180C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.619{C64CDE3E-2F93-6227-B408-000000003602}6180C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000037165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:27:31.591{C64CDE3E-2F93-6227-B308-000000003602}5136C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAPowerDWORD (0x00000001) 10341000x800000000000000037164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.591{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F93-6227-B308-000000003602}5136C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.591{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.591{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.591{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.591{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.591{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2F93-6227-B308-000000003602}5136C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.591{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F93-6227-B308-000000003602}5136C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.593{C64CDE3E-2F93-6227-B308-000000003602}5136C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000037156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:27:31.576{C64CDE3E-2F93-6227-B208-000000003602}2164C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCANetworkDWORD (0x00000001) 10341000x800000000000000037155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.561{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}2164C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.561{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.561{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.561{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.561{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.561{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2F93-6227-B208-000000003602}2164C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.561{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F93-6227-B208-000000003602}2164C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.571{C64CDE3E-2F93-6227-B208-000000003602}2164C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000037147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.localT1089,Tamper-SecCenterSetValue2022-03-08 10:27:31.485{C64CDE3E-2F93-6227-B108-000000003602}7156C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealthDWORD (0x00000001) 10341000x800000000000000037146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.485{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F93-6227-B108-000000003602}7156C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.470{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.470{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.470{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.454{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.454{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2F93-6227-B108-000000003602}7156C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.454{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F93-6227-B108-000000003602}7156C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.461{C64CDE3E-2F93-6227-B108-000000003602}7156C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000037138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:27:31.454{C64CDE3E-2F93-6227-B008-000000003602}6124C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideClockDWORD (0x00000001) 10341000x800000000000000037137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.438{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2F93-6227-B008-000000003602}6124C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.438{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2F93-6227-B008-000000003602}6124C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.438{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.438{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.438{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2F93-6227-B008-000000003602}6124C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.438{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.438{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.438{C64CDE3E-2F93-6227-B008-000000003602}6124C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000037129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.185{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=764F05F28BE2275A17296FDDA7C91C13,SHA256=40B82613ACE6FB7E88B869C532D8245CD9C839CA42B73C3D62DF93C55A1E21F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019342Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:32.866{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F56B2068550317B66CF161040A23B1,SHA256=201C031B2EDD7E3E75E1375B7B68913BA01B4353FDEF93270298B233E6EC970E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:32.585{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DFCDBCCF15DF80F76663D568CB65DD4,SHA256=93099C443C95F72E9A0D757804AB2D13720B375287DBF08A7FB841310E3AA640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:32.585{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BACC92ACCEA9BB43EDCB3B49953168C,SHA256=F00DC460B5D9627974721EF344647083B22DAFCF862E52C5A66FB6D4E33B3F28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:33.603{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F30535470459C0AA2DD220A0246F6BF3,SHA256=699DEB7F00E8621845229E5D6D5CA263790003D39E1138A5DA0AC5D51B160B7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019370Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.819{DCBFC465-2F95-6227-9005-000000003702}6283444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019369Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.600{DCBFC465-1FE0-6227-1200-000000003702}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=12636D1748D23E42960ECAE44020DF9E,SHA256=EF7ED49ECDD3186928BF9423448690C82A5190CB44E641B63210651BA6AC7DBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019368Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.585{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2F95-6227-9005-000000003702}628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019367Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019366Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019365Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019364Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019363Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019362Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019361Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019360Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019359Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.585{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019358Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.585{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2F95-6227-9005-000000003702}628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019357Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.585{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2F95-6227-9005-000000003702}628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019356Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.586{DCBFC465-2F95-6227-9005-000000003702}628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019355Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.085{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2F95-6227-8F05-000000003702}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019354Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019353Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019352Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019351Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019350Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019349Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019348Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019347Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019346Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.085{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019345Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.085{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2F95-6227-8F05-000000003702}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019344Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.085{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2F95-6227-8F05-000000003702}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019343Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:33.085{DCBFC465-2F95-6227-8F05-000000003702}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:34.622{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80BB41FCA144182D765F46BC1CA97433,SHA256=8B032B9933A3F282A3DBB1241A3356BA14827207FF09C4420C6F99211C7AE173,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019374Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:31.324{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50477-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019373Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:34.290{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDD7093EB7A089B0F0DADAB20815FA84,SHA256=48C25F3BA3DF113E6499A17B65FBD6CF4A32E7F9BD5CED8BDA7EA4EAED60ED60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019372Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:34.100{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFA561967BDB638D1596A715BCAE7D67,SHA256=055630CCE32CDBCC8CAC3F92C4FB281F296D61F71941EDDE12C2C4EF8279DA63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019371Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:34.100{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CC7FFD2772F389718A9438B3C3BC80F,SHA256=C5F3BB58ED15FD7264640B38913474CA84734619B6CE8F20D47D2F564BDD7002,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:31.679{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51174-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:35.638{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7120A00DD245D7E8F592DC62A6F5A587,SHA256=E8860AB7F5FE84A8B0B0929C5DBD9A3B34E1149B295153388B808E86B6CCB59C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019402Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.757{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2F97-6227-9205-000000003702}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019401Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.757{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019400Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.757{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019399Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.757{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019398Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.757{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019397Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.757{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019396Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.757{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019395Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.757{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019394Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.757{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019393Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.757{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019392Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.757{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2F97-6227-9205-000000003702}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019391Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.757{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2F97-6227-9205-000000003702}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019390Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.757{DCBFC465-2F97-6227-9205-000000003702}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019389Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.475{DCBFC465-2F97-6227-9105-000000003702}19001404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019388Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.147{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA77975A4222A100F34598351D8D9C0,SHA256=CCB3721A9AD36C89F0D3649E48C607A99BEC1887AD3E948A49793228DA2B82DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019387Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.132{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2F97-6227-9105-000000003702}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019386Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.132{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019385Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.132{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019384Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.132{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019383Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.132{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019382Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.132{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019381Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.132{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019380Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.132{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019379Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.132{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019378Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.132{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019377Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.132{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2F97-6227-9105-000000003702}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019376Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.132{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2F97-6227-9105-000000003702}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019375Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:35.133{DCBFC465-2F97-6227-9105-000000003702}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019421Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:36.882{DCBFC465-2F98-6227-9305-000000003702}35203584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019420Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:36.757{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE0-6227-1300-000000003702}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019419Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:36.757{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE0-6227-1300-000000003702}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019418Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:36.757{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE0-6227-1300-000000003702}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019417Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:36.647{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2F98-6227-9305-000000003702}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019416Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:36.647{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019415Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:36.647{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019414Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:36.647{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019413Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:36.647{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019412Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:36.647{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019411Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:36.647{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2F98-6227-9305-000000003702}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019410Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:36.647{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019409Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:36.647{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019408Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:36.647{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019407Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:36.647{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019406Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:36.647{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2F98-6227-9305-000000003702}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019405Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:36.648{DCBFC465-2F98-6227-9305-000000003702}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019404Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:36.382{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CFC8BAA56DA5F47AA93F8C00D6E5868,SHA256=C9885964AD1EBFE413F88C6C52B7AF12BB25E250D0E1303835C07ABDC2BD47E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:36.668{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E7B0B7EC82B57936961AE523AFBCB59,SHA256=3178E367C96E1A88FC9D75A91DDAAEE065C2FADE341A785A04674398C1C6D320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019403Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:36.148{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFA561967BDB638D1596A715BCAE7D67,SHA256=055630CCE32CDBCC8CAC3F92C4FB281F296D61F71941EDDE12C2C4EF8279DA63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019437Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:37.835{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884F0E27F83C09FA29918F2D03C7B0C3,SHA256=D88FC78672D45AC5F06FFFC703ED69A6E7CDDD05D54C3CF9ADCB1DB9736C0441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019436Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:37.835{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DA88B8574DDABC25E7968C76204FBE0,SHA256=090B90E12C4D6C95F525900A5EA8B7239F7FDBF39503ABB78C206E9958014F71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019435Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:37.569{DCBFC465-2F99-6227-9405-000000003702}38842456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:37.684{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F72E54624E0FAC64F3A03B8E53AF5365,SHA256=9E3F5489CF17BC3100B54C683803011875558561538B7F8414E6973F6DABC0C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019434Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:37.335{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2F99-6227-9405-000000003702}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019433Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:37.335{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019432Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:37.335{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019431Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:37.335{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019430Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:37.335{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019429Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:37.335{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019428Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:37.335{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019427Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:37.335{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019426Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:37.335{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019425Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:37.335{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019424Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:37.335{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2F99-6227-9405-000000003702}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019423Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:37.335{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2F99-6227-9405-000000003702}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019422Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:37.336{DCBFC465-2F99-6227-9405-000000003702}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:37.468{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\glean\db\data.safe.binMD5=361C9DD4B3E7983F7764CB4FCA4C51B8,SHA256=EBF75CEEB936FAD104F84B8B8E2F03FAF7DF6A765E32DF921D0909B40E743C07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019451Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:38.632{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73DAC4930C37024883BB4F4B7C40E00B,SHA256=75EFD279000767FC2D173A771AE5A2BFF47009CF0C151375FD317926D4BB99A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:38.703{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857D94F421B0877B13D43B0690D0DEBD,SHA256=F91645CD59BD486A7FF9F5BA53224D21B07ED249764D232BD64B4D178F1C33DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019450Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:38.225{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2F9A-6227-9505-000000003702}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019449Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:38.225{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019448Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:38.225{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019447Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:38.225{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019446Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:38.225{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019445Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:38.225{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019444Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:38.225{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019443Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:38.225{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019442Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:38.225{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019441Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:38.225{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019440Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:38.225{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-2F9A-6227-9505-000000003702}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019439Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:38.225{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2F9A-6227-9505-000000003702}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019438Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:38.226{DCBFC465-2F9A-6227-9505-000000003702}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000019454Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:37.354{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50478-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019453Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:39.632{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B9448035655EC5360C516D6287A424,SHA256=7EBD76B3A5348C76C18BD4368D63F976AEA8BC286C7B9FF18D7BEF81EE25BCCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:39.721{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87BAA3D01D114B6C0C7EAFAD4C51B59,SHA256=A772895C367792805B43AA75A1918F5893ABBB2D50CC5B0E83C80668D6F0A798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019452Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:39.241{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A06738BA21F2F4BD0DD937347C0C2DC,SHA256=AB22A76A61033DF2CFE910800EBC55F43D771002B679F821F3E764EFA45E7B82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019455Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:40.647{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E157026C81EC0C858C9C675535260987,SHA256=CA9A61CAF8FE3BC421DEF225CC153643B5F4D015E650F05F82D0CFF0E7C2E41D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:40.736{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6ABFD9A24307EB384DA20A89A301F5,SHA256=8305D959485B08CB643DE96186006E36587CEB592606E48241BCB25E68EA0AFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:37.709{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51175-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019456Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:41.835{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E62596100815CE668B5C4BEEC434C66,SHA256=538A89716FA778B687E0E0970C7341205D34E25A070685666D77A8C6A613BAC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:41.736{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0174606D95BEE26840D95CE66D20748,SHA256=1FFCEF9DC23AE7F906C3C8BB19F17A35A82C56E31EF1BCFFDD27E7EC3030B86F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019457Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:42.835{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979BAD6C79ED8217FB28F7D692B84CF2,SHA256=D88233A221FEFA5BF1CBB0889F50E43FA1F107CA6A2CDB9C7273527B994E3B7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:42.752{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D34361E58BD34C88B2315FBED2B7956,SHA256=31F421AF2CA03CA8D13A642EE0FB9F48099AB86301973FF79B6C4DBA1B711EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019458Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:43.850{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68BACD324D238A74A3CADAC8D24163C0,SHA256=161D7DE3947BAF14609F3F71D85C0737F1198621D436B4D8332F1F6BA6C7B3B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:43.767{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231C66300B6F00178C1843A2AAE7B9A4,SHA256=10E879F8777B3D8BB447F1BBC82DEF216A3E347C32398CCE73DA2A962BA0B80A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:43.168{C64CDE3E-1CE6-6227-0D00-000000003602}8841404C:\Windows\system32\svchost.exe{C64CDE3E-2010-6227-0602-000000003602}4756C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019460Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:44.850{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E0C58492E890FE381F6DC74F3723E95,SHA256=9BBD3663A65D9F3E80D778EFB13681F1D6F0F823631488E712957705050EA79A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:44.801{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3834A99711671931E54B24FF981B17CA,SHA256=8BD8B9A8A79EEB8D5523BD1603977840B7E956E611A8D54E25C0179AA029BDCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019459Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:44.366{DCBFC465-204C-6227-9900-000000003702}3048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019463Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:43.611{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50480-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000019462Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:43.323{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50479-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019461Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:45.866{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A202AEC41AFC3E10B9981A481BECCF8A,SHA256=910EFDAC37E6F328FDE65656AFF52843C9DBAFD9142AD2E7B3B3CA8743AFB64B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:45.821{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F826DDED98EC5A601D2167DA034DF4E2,SHA256=16908C5AC1ED68A6D2815653691ADB5905771E16DDCBAF68D31212778A740E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019464Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:46.885{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70A87A4ABB5B65D4FAE5975064F1C39,SHA256=A18E60879847A6736286D46848690104DE92091E772A35198C88B9D97DBFD9AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:46.836{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9288AFEF4E49BEDACFBB6803CBC125B6,SHA256=B0EA75E5660988F719C19CB87E0155C1B8C69ADF57AEF7F01CFCFF2E70EB178E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:42.792{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51176-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:47.852{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F40F24CE7ACD6DA89DE54F36C3B2F9,SHA256=6F7DFF4CA289AF8A5BC1191D53BF8D3BF2AA1E926A78338EAB4DF7DA93AC9F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:48.852{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0405F97A5580D5D6FAD9BE156A84F4D,SHA256=90A5BA226CC2BAF4DD89F62AD792CF51890DB4CD4C77FE11CFF88D47EE54ECDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019465Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:48.089{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3B5BB006FAB63865AFC3F408FDC5AC0,SHA256=53022A848E07B2BEC87707F21C2595278E48EAEC408CCFCC77D8D1B2F0C7DB67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:49.868{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D74F4C15E68A0A2F9C67EB0E17394F1,SHA256=E8CAE21AE6B5F1535EC5ED1B3D2D1911E21EA01AA7C9EB740132AA7E19AD6166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019466Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:49.214{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2A8ADDAD151A928C287A0C7BBE2B3D8,SHA256=210BFA550C8DEDB0796C35A4A8335DD134C1D173E88774CDC802D54F67EC05AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:50.871{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF6BEBC48F7D6E93429B0713AE7EDED,SHA256=48DB14430916B5C6195BAF4B96D6EFA54FB332BDDF44CB5471771AF6F19066D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019467Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:50.260{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E00425DE3339FB010CC262CFDE52701,SHA256=4C2A559C2774AF6B9A33E193BD15001E8F3B921A7A31F1ED1F0102EFDE212EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:51.875{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1652F8F21F5101E568F22F5DCC577B6B,SHA256=2D9B8FAB1520B29A24B2F5A505F6695DC5FCE05AA10C18248BFA82B12A30282A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019469Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:51.260{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9615048E2992C0D2654305B3184107E5,SHA256=91AE48A20F9D910F093100EB4A5AD8D5444EE2566E0E48222059368A8272D9A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:48.678{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51177-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000019468Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:48.374{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50481-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:52.888{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A1F38E35EE7F344E6231CE27DDBBBF4,SHA256=9AE7D220D140D68305BEF47E4F65260BF0DB55FA905EE1C6A89338A499CC4217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019470Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:52.292{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D87DFAD9627CB9DD69DA6D41C9F172D,SHA256=4F1A04D69F1A654D196E9E05269C867F51EFFE7A56D430E89C42FA85656A50B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:52.541{C64CDE3E-1CE6-6227-1600-000000003602}12966152C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:52.541{C64CDE3E-1CE6-6227-1600-000000003602}12966152C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:53.906{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13739B97D8EB4DF3DBEA6B65E35ADC02,SHA256=838692EB0E00DDD78498436DFCC95A1173241A730229A9F427D3D91CD5034712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019471Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:53.307{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98E244F904F2E8E47E5D41093F020E4,SHA256=23F21F59344170773B48E7759BA410A3FF8B4BCA29C4E8E90D4C6787A12D9115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:53.025{C64CDE3E-1CE6-6227-1000-000000003602}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B7650439005FD5AB8542C2B92ADCF6AC,SHA256=06ECD1FFFB9A682D84AAC7DE2BCFE7F2636A72B10997CC2DBD7608476E52FBC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:54.925{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABDF585D333054EEC7A1A83746488EE0,SHA256=5CE1E3C18BFFD8B4D36A97FCC1899EAB9C5BA4C9D2788B62E94885485DA6AE5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019472Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:54.339{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DDCCF2CE946A51F46F7A6F8079EEE6C,SHA256=27D93BB7480A3E6C9A60521E9A20D346A41665FE1B535BDEA3D5855EB462E863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019473Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:55.573{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95851C5489265898C46A8A0E009C4789,SHA256=C06FFCF1ED297CD37E2B0D88E7A7651A723C8E8AE8D484D23C906BFFF0EF743A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:55.928{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE56113C19A96A2E1F0BB3CBA62F83F4,SHA256=E9FFC9355850544118BC0BCCF1D67A3C3B4CA707FB72B633A24D68A70BF04750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019475Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:56.776{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE5FE49F045ADC455B082F036606A89,SHA256=B3800A74BE1150378BAB0BCA026C324D42AEA72C5C7D4744B364A920D734D194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:56.943{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B1A193E96ACF076BFB1AB3CABC82AA,SHA256=ED2E421D18D9CD94058D6F5F197C4C199EC5765D26139E30B75043F5DC031E10,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019474Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:53.437{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50482-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000037209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:53.780{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51178-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019476Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:57.901{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6D6068F2C9150ED3C50B035832DA3A8,SHA256=B8116648A7035C0220FC2E6EBB8A4DB4E8C85DCEFE895FF069E8411D1AF064B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:57.974{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878F9BF416B69F142427BF2E302CD12B,SHA256=48F6A0B49109E7B1216AF8DCBF2F25EC2555B51368D549BA8E38145635F1D78F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:57.192{C64CDE3E-1CE4-6227-0B00-000000003602}612816C:\Windows\system32\lsass.exe{C64CDE3E-1CE1-6227-0100-000000003602}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x800000000000000037212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:57.174{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\glean\db\data.safe.binMD5=57F3A9DF8F5F67A6A3992E3FD94E0E48,SHA256=9872570285AA8197E56B83A364DA887A40FE72CDD187A6067AA13AEAC77879E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:57.159{C64CDE3E-1CF7-6227-2B00-000000003602}2896NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019477Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:58.917{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A81697B74D31C34BF083A37EA6C3D1E,SHA256=0465990B034DC34C150CE28A08FCC29E8A4D6380CC35051159051BCE62183ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:58.989{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D1BAF9A430D0973B04567FB6A03C88,SHA256=35387E7459C2DD4168EE6328D2ED20E5610911AA0F644C4CA1731234E9511950,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:55.733{C64CDE3E-1CE1-6227-0100-000000003602}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51180-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local445microsoft-ds 354300x800000000000000037218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:55.733{C64CDE3E-1CE1-6227-0100-000000003602}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51180-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local445microsoft-ds 354300x800000000000000037217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:55.682{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51179-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000037216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:58.210{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F84BD763205278773CBA8849DCE4263,SHA256=370255A0DE079D42DE83A7DFE75B917AC36A3E91D3CF457B94AFEAD737C08D92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:58.209{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91B97C2C1CB5B7E671CC5DCDD80EEFFE,SHA256=831D049C4296F14BADB90645D48D57F719D1CCDA7035A4D6F03758681DF58CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019478Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:59.917{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28BE884362912AB2F7C164139615B484,SHA256=9030F54B2FEC42A949AF922ADC0E398FC47883D72902707C6ADD7D9704B2ECD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019479Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:00.932{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69A5D8672527D58146B4DF88942C22A,SHA256=EA00FB40F9D5B991AE9C183697AB5FFB28359A8999722324D2DD30E0505C26A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:00.006{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35C8948147A51A8DADA8CD6FEA126ED,SHA256=A1449180A7A2DD0986ACD1E866CB77E526A767D21176E9A83C813FA448B905A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019480Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:01.948{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12BF0800F3EC0049DE94F8D2F40DC5B9,SHA256=3A7E908B6C4DFB9C17D169ED45C66E4144B54A0FDD6FEC1DB95B5041C054AF34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:01.026{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFC3EB7568A98D1CE0A6B0499A8973D0,SHA256=DE5234CE97F05A93D1B54C41166E9A5C95430B96BDA87707B04C86E917D2AF7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019482Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:02.995{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F759F28CDCF84B0852B2C825FDB5FF5D,SHA256=B8AE6191A0854235E8DB8ED5DA780B5685ECBA2E1C2AF96C94F23A04CC894E4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019481Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:27:58.468{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50483-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000037225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:27:59.627{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51181-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:02.189{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\glean\db\data.safe.binMD5=E603B83DC895DA0AA0203BA1E0B37AB5,SHA256=3A94840E15EB8F573629A77C8BBF0284637F6E4379D612BE45A130F63F73BD49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:02.073{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11683EC9EA9A174A37D930B5E908A0D4,SHA256=11B69987640D78F63A1A1590EC5416392CE7AE3F752710AB8E0BC90D73DB71B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2025-6227-3602-000000003602}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2013-6227-1602-000000003602}1740C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.172{C64CDE3E-1CE6-6227-0D00-000000003602}884904C:\Windows\system32\svchost.exe{C64CDE3E-2028-6227-3902-000000003602}5520C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:03.088{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E515DC6B2D3AC3597E2912F193D41EF,SHA256=7A2D3D1A5FBEE6124011C9DAD4BD30A9FDF76F094A22A44C027D7256603C6BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019483Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:04.010{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3C008058A670564DD6D9544B8356118,SHA256=7686C7EC0BD7FBED965ABF961A3D0AB8DE960EB2BD942AB68625EBFEC997ED70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:04.456{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DE70315EE4F77652CD62D6E10904D8C,SHA256=EDE01F694E00B8D0B1501966914AA10EC5400F9BF974520C8F4A36A25AF20C08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:05.471{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D1E6961F22B37A4521AF100564926C,SHA256=D0FBC577D84FB059E8AA9E2BBB95B35143F28B50ED9F9FE710E2F419566DF673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019484Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:05.010{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85171EDE354818232B92ACAD35058458,SHA256=72500FA75E72FA40BD7F8FC448BE9142ABB53DEB6D414FB0F82B274CF7F693D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:06.504{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E95322FBFFD98954087515543905B45,SHA256=18D472D01D6CE5334BF943FBD98C3A92E0112C2F1506DFD5964A8890815CB563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019485Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:06.026{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40CE2A514B06515415FE1A071106C652,SHA256=93E2001A6E1674CD7968351FB6B76F38D65371E8E69485D6E4275CD505F2DBA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:07.523{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD3C01038E70ED51ED287E491C820A11,SHA256=0E344374F09DB84D5C040BDEA84EB466E49696F8992328668DACA48D49DBCAAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019487Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:04.296{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50484-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019486Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:07.030{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A23C0B53D5F0A932312D37E1F5D01B,SHA256=7243BD88835445F45E39A569B92EA69B194BE8330309758DD5A2F50B42978B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019488Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:08.030{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F25E4610C5E8E9A6E343D7927ED7381,SHA256=56A8D73F97831E50A23AE3D3DB044470344F051C52E44040BCDD511F2CA5C2D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:08.969{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63C2CA4DD96683A58AEB5BDA934D53E3,SHA256=0053815FFE2E4CF76CE289F02A13F18471495859BC82F71A9C8CB7468BA5B377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:08.969{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F84BD763205278773CBA8849DCE4263,SHA256=370255A0DE079D42DE83A7DFE75B917AC36A3E91D3CF457B94AFEAD737C08D92,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:05.577{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51182-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:08.538{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B5A09F30FC413B79ACCE353857D661,SHA256=8A3C8F2A49A4630AAB34DA27F521BB14C97E2178DC072701E4F82DD8CC7C9C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:09.610{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\respondent-20220308090810-077MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:09.554{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56570114DBA3E515715BD05069AF7FE8,SHA256=3ACA6F0F4B9AEE40A189630563F88F9342A471263D1D9EB2EC8A429087B891E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019489Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:09.046{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44AE8FCB5E409F3A62023FFC5E8BF69,SHA256=C94E3E58151938BEC41F092805F09BB5D9205764BB488861165FD4FA083B79AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:10.605{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\surveyor-20220308090808-078MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:10.556{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8FF798AF20E6BE5B03E8B01D0537852,SHA256=D2896EEB18AEBCFED4A8869A10A04F8EEA844F98AD9A10A9473457EC20AC6D57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019490Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:10.046{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23DD10CFA1F282E2E2B2B51589A87533,SHA256=16D15B863737F6E902B735E29490E684ADC62E01148897AC6F5A18F5D5F20B96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:11.558{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4231BA932BAEB5736FF910FB80F6983B,SHA256=6DEC15EDA518395C8F87F915AC11D6FFC598CF8822EDB6ACA64BF9B30F2E4645,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019491Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:11.046{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6C0230B888C4BE52749FADB46B657F,SHA256=4CF58F92EB9E510CA16A3A26F20D4A52CA7228126BFA3FD89ECCA6281CC53E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:12.574{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3804C918C2AE8EA96E4501C92C2766DE,SHA256=07FF5FAFE49DB1BEB05F181575B6A8802D5669CA1122BC141B779634EDEA8DE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019493Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:09.472{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50485-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019492Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:12.061{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5FA85E0D8AA6B77CA774941E51A1F9,SHA256=B8C6271BAF5BC3464AF39CE438DB98F5C70CB2488D79D767C760751CA37E14A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:13.589{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6454B63F00E3A2908075A57026FA824C,SHA256=108E946B78D1CE330051853704A7B0E33E6887DF4086CF5A4DCC915B2A0EE596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019494Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:13.061{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=136BD1556BBEAF95EFF26ABC0C528612,SHA256=2575611C771BB7688F8E1807404723EAD1C88BE31BB95DB2E73C413514636FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:14.626{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F99087307C97BC3972E3B1C5D3AA2E5,SHA256=9A1CE3F3F74D903AD633C219BAECE64FD4E0F296E9329E9CDD94EB01A1EBA4FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019495Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:14.061{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56690197D7C85166ACC3F956125593E5,SHA256=FF9B49AE93A08C859B9FC79406AB370B1DF9995C2DC27D02AA61091B726FDDB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:10.697{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51183-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000037281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:15.988{C64CDE3E-2013-6227-1602-000000003602}17405360C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801508D8FD8)|UNKNOWN(FFFFF994344A5B68)|UNKNOWN(FFFFF994344A5CE7)|UNKNOWN(FFFFF994344A0371)|UNKNOWN(FFFFF994344A1D3A)|UNKNOWN(FFFFF9943449FFF6)|UNKNOWN(FFFFF801505F0503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000037280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:15.988{C64CDE3E-2013-6227-1602-000000003602}17405360C:\Windows\Explorer.EXE{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF801508D8FD8)|UNKNOWN(FFFFF994344A5B68)|UNKNOWN(FFFFF994344A5CE7)|UNKNOWN(FFFFF994344A0371)|UNKNOWN(FFFFF994344A1D3A)|UNKNOWN(FFFFF9943449FFF6)|UNKNOWN(FFFFF801505F0503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:15.988{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF49b41a.TMPMD5=847FF2A64311A111F9C46697989BEF76,SHA256=E334D2C69DEDC04CD4D70803894D1FCB59BA771169046B5DEDA16196007ACB6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:15.641{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E6DFA6389B2C98730A2C55E6339365,SHA256=FB6650D341C9183600B7021F777725717FC46653499FD30725772C9F771C7DB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019496Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:15.061{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8887B5BA008FDE7BEA1E7C67A0382A69,SHA256=569D18E7CDD182C5D4BDD9BC4322292B383289D7F7A37102B98190683C993B70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:16.656{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2409582C11152B727849F52D0F3EE54,SHA256=96501EF1AA08D9B59F51A4C36D836BEF4F1D724CE552CF9315DE8616C323585A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019498Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:16.881{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\respondent-20220308092036-065MD5=AD989BA5FC8211C68DEB145594DF29B5,SHA256=A92C9E9F939B5FA1DAF2D9D45D4066E44A16133766F98754DF452EC8E38921ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019497Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:16.061{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8214ABD06A7C691792AC2BFE61FA005,SHA256=7FA9C5608F31EDB1071D047F2F2F15091BC30A5A2BA8EF2F92243FDF96C74C7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:17.657{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8F051D17FE589339F0817305EF9B86,SHA256=9A1405288FFBC4A7A61394E4759F9AFB416F29C361EE337D1FC417E67AA2E07E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019501Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:17.894{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\surveyor-20220308092033-066MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019500Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:15.425{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50486-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019499Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:17.064{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=102A5A5EE305D68AEDDA916B71C0C4D8,SHA256=FFBF40E09D9B98D865D89DD7BCA01CA018C057EA502FF4C8C3AF8D2854C5E322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:18.688{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B847A17DAD447B3353B63CC256604275,SHA256=A5D9AD212D771673CE88F173A5E0F99F2C68F90472E6E66A5CB49603D63DC502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019502Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:18.078{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=244ECA12D7284640DA185D6D1A6A252E,SHA256=743AE255CE3360AA0CE3BD50AD2834C4FD7CDC2D45F47C244AE187F5D4E6893D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:19.688{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4C0AD2D9AEB4785A0629368250E0AC,SHA256=0CF349204C5C236D8240A9E0F2F825BEC14158B52B8D8ADA9760A9D153CBF73B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019503Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:19.081{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057390BF78A60EA8794390369ECE5058,SHA256=5E7CE0B4A7FC70FF7A491C6DB533F0B69FD1C563E904DA5D832A5536AFC8073E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:20.696{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4E167CFCBC210777DEB8F8F780A619,SHA256=102047D25DDB32931CF0C2618B11CEEACA549036C53D468C664259632086B797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019504Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:20.081{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D864AFE7714A54569E70B962F4C1CA6B,SHA256=1F49BA13EBF7B63C33C026710AA503AE7C049231112F09B4256777F52F1E3578,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:20.326{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2FC4-6227-B508-000000003602}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:20.326{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:20.326{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:20.326{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2FC4-6227-B508-000000003602}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:20.326{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:20.326{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:20.326{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2FC4-6227-B508-000000003602}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:20.327{C64CDE3E-2FC4-6227-B508-000000003602}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000037286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:16.709{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51184-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:21.701{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98C5FA80807B9106979EE4ACD95A2D8,SHA256=C9EE0F2BCE0B5FD2F88DA8B51F9F1BFE76BA342086DB1FF3F0D3438F684DB5DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019505Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:21.097{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD6D8105E7A71EA3C6A7E90F6F7B82D3,SHA256=806A5675386655E15E4EE33C6595ADFF7F6EB4C01966DCBB2C659FF2A3ED25D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:21.458{C64CDE3E-2FC5-6227-B608-000000003602}45686340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:21.349{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E1F820A5AB5C24F7C01ABA31CBB2009,SHA256=3C74CE4F7E6D1C7C79A65C8A5825EF089538DE98FB9AA757BC841CA94FDEBB30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:21.348{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63C2CA4DD96683A58AEB5BDA934D53E3,SHA256=0053815FFE2E4CF76CE289F02A13F18471495859BC82F71A9C8CB7468BA5B377,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:21.180{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2FC5-6227-B608-000000003602}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:21.180{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:21.180{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:21.180{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:21.180{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:21.180{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2FC5-6227-B608-000000003602}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:21.180{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2FC5-6227-B608-000000003602}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:21.181{C64CDE3E-2FC5-6227-B608-000000003602}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000037316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:22.719{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2FC6-6227-B708-000000003602}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:22.719{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:22.719{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:22.719{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:22.719{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:22.719{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2FC6-6227-B708-000000003602}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:22.719{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2FC6-6227-B708-000000003602}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:22.720{C64CDE3E-2FC6-6227-B708-000000003602}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:22.703{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5488A4D3B2A8C4E3DB2DB0B4345176E,SHA256=2CD0B5826816B7DABDD06E9A066C5A4C9CA55DB54FED319030990F0F2F7292C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019506Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:22.097{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AAF60AE2EF761B99BAA70DA70C9069D,SHA256=89697F9ED1378001D597E44A37FE81043428DAB457FE470A55489BE852EF0B35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:23.855{C64CDE3E-2FC7-6227-B808-000000003602}45123708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:23.737{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E1F820A5AB5C24F7C01ABA31CBB2009,SHA256=3C74CE4F7E6D1C7C79A65C8A5825EF089538DE98FB9AA757BC841CA94FDEBB30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:23.706{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAAF199C59B1A6B68A95CA808CB9105B,SHA256=C4731BEF21BFA96184F14EDFABDE5EC1E4923E9F8B49C04D91DE9B765023E2FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:23.112{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A300B549F575BEE806F8C34D4BA18D7,SHA256=D03EF80DE993E63982E9E67E46FEB1097084F0642E69B8C59EAD0ABD2A5690DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:23.621{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2FC7-6227-B808-000000003602}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:23.621{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:23.621{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:23.621{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:23.621{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:23.621{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2FC7-6227-B808-000000003602}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:23.621{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2FC7-6227-B808-000000003602}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:23.623{C64CDE3E-2FC7-6227-B808-000000003602}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000019509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:20.445{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50487-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:24.128{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E0E1694375412F82034CB5B35E5ACA,SHA256=4D064829A5C1A7C049EAF2F5EBF0017663AAA32BF34409D1A503964BB4A7D93C,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000037372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:28:24.652{C64CDE3E-2FC8-6227-BD08-000000003602}4496C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAVolume 10341000x800000000000000037371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.652{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FC8-6227-BD08-000000003602}4496C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.652{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.652{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.652{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.652{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.652{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2FC8-6227-BD08-000000003602}4496C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.636{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FC8-6227-BD08-000000003602}4496C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.652{C64CDE3E-2FC8-6227-BD08-000000003602}4496C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 12241200x800000000000000037363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:28:24.636{C64CDE3E-2FC8-6227-BC08-000000003602}2740C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAPower 10341000x800000000000000037362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.636{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FC8-6227-BC08-000000003602}2740C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.621{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.621{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.621{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.621{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.621{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2FC8-6227-BC08-000000003602}2740C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.621{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FC8-6227-BC08-000000003602}2740C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.634{C64CDE3E-2FC8-6227-BC08-000000003602}2740C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 12241200x800000000000000037354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:28:24.621{C64CDE3E-2FC8-6227-BB08-000000003602}5692C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCANetwork 10341000x800000000000000037353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.621{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FC8-6227-BB08-000000003602}5692C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.590{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.590{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.590{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.590{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.584{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2FC8-6227-BB08-000000003602}5692C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.583{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FC8-6227-BB08-000000003602}5692C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.583{C64CDE3E-2FC8-6227-BB08-000000003602}5692C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 12241200x800000000000000037345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.localT1089,Tamper-SecCenterDeleteValue2022-03-08 10:28:24.552{C64CDE3E-2FC8-6227-BA08-000000003602}1972C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth 10341000x800000000000000037344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.537{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}1972C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.537{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.537{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.537{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.537{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.537{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2FC8-6227-BA08-000000003602}1972C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.537{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FC8-6227-BA08-000000003602}1972C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.539{C64CDE3E-2FC8-6227-BA08-000000003602}1972C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 12241200x800000000000000037336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:28:24.506{00000000-0000-0000-0000-000000000000}3108C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideClock 10341000x800000000000000037335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.506{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FC8-6227-B908-000000003602}3108C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.506{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.506{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.506{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2FC8-6227-B908-000000003602}3108C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.506{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.506{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.506{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FC8-6227-B908-000000003602}3108C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:24.506{C64CDE3E-2FC8-6227-B908-000000003602}3108C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000019510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:25.143{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02D69E62F5F620345B0F341A50299032,SHA256=EFE6944D7FD633382C509FFB304CFAD6DA6AA508E1A0C2E704C07426C84EB3D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:25.520{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=435939C83EC276855217AF3F5A973C63,SHA256=1E6BF1C9838D3A3FFE5EA8D05A41230DC510F2D776944F8ABBE24016BA32BCF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:25.220{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51332B137C09700211006C94CC38321,SHA256=E5EBB7017AF70D401EA7C23820E622275D2FB650CC8E702FC550CB886407DDCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:21.821{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51186-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000037374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:21.821{C64CDE3E-1CF7-6227-2800-000000003602}2856C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51186-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000037373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:21.725{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51185-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:26.144{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0471090D16F38242AFBD2A75D083A7B9,SHA256=CA8AB3AA8EBB2BFE9CC34388F82E3985C6500CCA755F0BD1A619AD0B41486D5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:26.736{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2FCA-6227-BF08-000000003602}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:26.736{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:26.736{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:26.736{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:26.736{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:26.736{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-2FCA-6227-BF08-000000003602}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:26.736{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2FCA-6227-BF08-000000003602}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:26.737{C64CDE3E-2FCA-6227-BF08-000000003602}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000037387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:26.269{C64CDE3E-2FCA-6227-BE08-000000003602}64683832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:26.120{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=287036E3EE8E4F84EFB85B27F9523B8C,SHA256=91E5C81B56EEFCB329F9FBA48B39CBB87786562B3389209C2291C70EB0F7475C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:26.066{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2FCA-6227-BE08-000000003602}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:26.066{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:26.066{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:26.066{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:26.066{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:26.066{C64CDE3E-1CE4-6227-0500-000000003602}396412C:\Windows\system32\csrss.exe{C64CDE3E-2FCA-6227-BE08-000000003602}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:26.066{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2FCA-6227-BE08-000000003602}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:26.067{C64CDE3E-2FCA-6227-BE08-000000003602}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:27.144{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ADF12276DECD99CD0E321A5A02EF089,SHA256=EFDDD3FDFF9B0C5C893031C237435C23052DF65646EAEFB626F328F2F56F0030,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:27.249{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-2FCB-6227-C008-000000003602}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:27.249{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:27.249{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:27.249{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:27.249{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-2FCB-6227-C008-000000003602}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:27.249{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:27.249{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-2FCB-6227-C008-000000003602}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:27.250{C64CDE3E-2FCB-6227-C008-000000003602}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:27.180{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8533F881C80B86B556C5471A28D634A,SHA256=C89776E05CAFF1E342C69C7060361AD8FE27B492CD8020E6F0519481BBCE4E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:27.080{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2847EC964F19BCDB36825C5C6573C8A7,SHA256=3AD5A9698D486E3402BF588B085B1833BEE9EAB3D6E467135E3F908FF748FAA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:27.015{C64CDE3E-2FCA-6227-BF08-000000003602}5928496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000019514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:25.445{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50488-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:28.190{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F7BD544E9C8A622FF5C17C4324EF913,SHA256=DDE93D5BF8B2F01DB87BAA06B51DC200BC4B26CDCCCBAB9EB8ED8E3199040000,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000037471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:28:28.949{C64CDE3E-2FCC-6227-C708-000000003602}6780C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyDocumentsDWORD (0x00000001) 10341000x800000000000000037470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.932{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FCC-6227-C708-000000003602}6780C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.910{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.895{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.895{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2FCC-6227-C708-000000003602}6780C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.895{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.895{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.895{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FCC-6227-C708-000000003602}6780C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.907{C64CDE3E-2FCC-6227-C708-000000003602}6780C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /t REG_DWORD /d 1 C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000037462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:28:28.879{C64CDE3E-2FCC-6227-C608-000000003602}2656C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTabDWORD (0x00000001) 10341000x800000000000000037461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.863{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FCC-6227-C608-000000003602}2656C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.863{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.863{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.848{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.848{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.848{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2FCC-6227-C608-000000003602}2656C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.848{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FCC-6227-C608-000000003602}2656C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.858{C64CDE3E-2FCC-6227-C608-000000003602}2656C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoThemesTab /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000037453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:28:28.848{C64CDE3E-2FCC-6227-C508-000000003602}3484C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarLockAllDWORD (0x00000001) 10341000x800000000000000037452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.832{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FCC-6227-C508-000000003602}3484C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.828{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.828{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.827{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.827{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.827{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2FCC-6227-C508-000000003602}3484C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.826{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FCC-6227-C508-000000003602}3484C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.826{C64CDE3E-2FCC-6227-C508-000000003602}3484C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v TaskbarLockAll /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000037444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:28:28.795{C64CDE3E-2FCC-6227-C408-000000003602}6872C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOffDWORD (0x00000001) 10341000x800000000000000037443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.795{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FCC-6227-C408-000000003602}6872C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.779{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.779{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.779{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.779{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.779{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2FCC-6227-C408-000000003602}6872C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.779{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FCC-6227-C408-000000003602}6872C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.791{C64CDE3E-2FCC-6227-C408-000000003602}6872C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000037435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:28:28.763{C64CDE3E-2FCC-6227-C308-000000003602}6124C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenuDWORD (0x00000001) 10341000x800000000000000037434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.748{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FCC-6227-C308-000000003602}6124C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.748{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2FCC-6227-C308-000000003602}6124C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.748{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.748{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.748{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.748{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.748{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FCC-6227-C308-000000003602}6124C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.749{C64CDE3E-2FCC-6227-C308-000000003602}6124C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000037426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:28:28.732{C64CDE3E-2FCC-6227-C208-000000003602}6064C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMoreProgramsDWORD (0x00000000) 10341000x800000000000000037425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.727{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FCC-6227-C208-000000003602}6064C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.695{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.695{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.695{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.695{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.695{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2FCC-6227-C208-000000003602}6064C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.695{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FCC-6227-C208-000000003602}6064C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.703{C64CDE3E-2FCC-6227-C208-000000003602}6064C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 0 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000037417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:28:28.663{C64CDE3E-2FCC-6227-C108-000000003602}7008C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbarDWORD (0x00000001) 10341000x800000000000000037416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.663{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FCC-6227-C108-000000003602}7008C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.650{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.650{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.650{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.650{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.650{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2FCC-6227-C108-000000003602}7008C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.650{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FCC-6227-C108-000000003602}7008C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.660{C64CDE3E-2FCC-6227-C108-000000003602}7008C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000037408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.264{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16FAC9AA395E6E8C5132422D57121286,SHA256=CF47BC7AF9CDF0433E9EBD0586B2763A5AA477B55AF232B571697C24C3D6EEEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:28.211{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB064E556DFBDBF2E31767D6808C923F,SHA256=9B9177F575BB0932FD3817F5DE8303CC4BC1F383DBD57B28F7BA498C62EE2516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:29.206{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF811E12DC21C835B30A820D9651D8A6,SHA256=5E0DD85190A3A476D60E10EE0D30F37F3449789E4BC7224831DE9B34B384A0A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:29.679{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B24C6AA48D988DD0EA5BFB8BA1F5BA13,SHA256=27A15067E89D46698372D916C3CFB0ECC41A04B1F05B229B3C40C38746A268DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:29.232{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=036BE0E5FDDA87E75DC3ADEBCF87F392,SHA256=2E7264319BC7EB695853C27F64E6BFAC0DF35BDC274BFF17FBB24315391420A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:29.028{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4132A3CAE9C63D80999E7BF7E0DAE06B,SHA256=119A795B76A139EE0AD33FAD4BE37B8D353CFD3123005BDD3BAECB82CA6683F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:30.206{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EAD8B52F46C18D841A507ABC270854,SHA256=5BF5E1D8D25B269607C3850ECDB35C3A6E9C48F6067ABB58F7E3928077FE5500,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:27.602{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51187-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:30.247{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC0473BB0D87DBEB1209931D6BD769CC,SHA256=D263837AE12334307926FE1F60DE3E7363E3E862A7C0231C1494773DA764EEED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:31.269{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA74043D6A597B6E91B0B30A10BB493,SHA256=546F41BEC9228B4B0CCCA5082F72D5310031C965B59B488339B30BF530EA5F33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:31.278{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA59293D8E20B54D6603F9908A6411A1,SHA256=A6DDB7F8748FA010F2668C69C41F26374CCC9169BEA9B34E4188015FE574724E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:32.519{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A16EFC21662DD83A24CF55CE0FB09937,SHA256=22ECF24CB1EC584A40B58E10BC20714EE616FD1D5BF0A87FDBCE595C7656613B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:32.309{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=311F856C8161097162C730E00E5475C2,SHA256=BEFB496505D55F4F84F1ABD0BF4599C9E425A3FE9D993E8F58767F4CECF0EA93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.612{DCBFC465-1FE0-6227-1200-000000003702}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=04176EF553D246FAFECEFE66FFC853F7,SHA256=7924E73A127EA1B6981B8D110D61EB42998CFA3D9688C43FB670E232CA0F4F81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.581{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2FD1-6227-9705-000000003702}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.581{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.581{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.581{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.581{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.581{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.581{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.581{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.581{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.581{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.581{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2FD1-6227-9705-000000003702}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.581{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2FD1-6227-9705-000000003702}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.582{DCBFC465-2FD1-6227-9705-000000003702}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.550{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D5C487CA2394397D7AC6788776D0AC,SHA256=2FCC1A086802036B1F71CE6B832F76F82767DC08418CE826904FB7B2AD5B3FD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:33.310{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B4B427D83BCD5DF6E5EB62132A7286,SHA256=8215652F132437AE6D7EC48238E315E02BFF8BE995449B2F0304C69ECAD509A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.331{DCBFC465-2FD1-6227-9605-000000003702}9883876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000019532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:31.289{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50489-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000019531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.081{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2FD1-6227-9605-000000003702}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.081{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.081{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.081{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.081{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.081{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.081{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.081{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.081{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.081{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.081{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2FD1-6227-9605-000000003702}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.081{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2FD1-6227-9605-000000003702}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:33.082{DCBFC465-2FD1-6227-9605-000000003702}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:34.550{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4479414662B7F966407010060FC27C0E,SHA256=6375B7791CE25C58A36AEECE732917A039991B37FCB27417699B09722AF55061,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:34.346{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC5B0C57E046C8392A859876AA6DCBA3,SHA256=A8D4BAF87908356310B3285BE5A1ADF8B0FEE73518E5F9F5FA2EAA72E19956AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:34.284{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17621651CBD1D0B4CA8763DB9F6BF6AD,SHA256=C079B44A569AD759D51731C9ECFD22BA6D3764B9B4B09E53501293F075F1F852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:34.284{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57279BF8FE963A7BD50B2F58C45419AB,SHA256=7E2701825EBA53E47C62357F5D16A58B367A7C1308450D7EA2A13FA8B43431BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.910{DCBFC465-2FD3-6227-9905-000000003702}6963716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.722{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2FD3-6227-9905-000000003702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.722{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.722{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.722{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.722{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.722{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.722{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.722{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.722{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.722{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.722{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2FD3-6227-9905-000000003702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.722{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2FD3-6227-9905-000000003702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.723{DCBFC465-2FD3-6227-9905-000000003702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.581{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84AA881F6C658A7DA2D5D5593CCFC34A,SHA256=0BE9FB6F04B06221BBDE21CABD6A172876399A6D8A862C9DB51A2C34611837A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:35.377{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=761476B3FFD6B090F0DBD67D60854DDC,SHA256=015D8E6423AE15C240457758C064DE7B932C29D50A2660C4D68072E3DEA05960,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.144{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2FD3-6227-9805-000000003702}1808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.144{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2FD3-6227-9805-000000003702}1808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.144{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2FD3-6227-9805-000000003702}1808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:35.145{DCBFC465-2FD3-6227-9805-000000003702}1808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.847{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2FD4-6227-9B05-000000003702}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.847{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.847{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.847{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.847{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.847{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.847{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.847{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.847{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.847{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.847{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2FD4-6227-9B05-000000003702}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.847{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2FD4-6227-9B05-000000003702}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.848{DCBFC465-2FD4-6227-9B05-000000003702}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.769{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=FC7051A348457F4EB9B59D386C842A68,SHA256=B343C177F3BF36F13402AF05D36B3588993820FA1CB7C594833BC9CF1B3E477D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.769{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=728D84A9B2280D5A649212F08CE20AA9,SHA256=93B87BDAD2181D719578C6B67F82BD66BCF4ECF85AA6A74B7584E367EE500CE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.706{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6292CD3E46572BB53E0E0F76B0A17F75,SHA256=0D0FAF1AED6335A12C00FB4A94666C4A242DDD360AF643D1B81323A1BF26AA65,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:33.628{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51188-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:36.378{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2178FA45A30940F292D8519AAB30FC9B,SHA256=2CD0278505922D392B079852904A6DBEE903EA556A2091A175269B0E9384EFFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.550{DCBFC465-2FD4-6227-9A05-000000003702}40003820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.347{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2FD4-6227-9A05-000000003702}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.347{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.347{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.347{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.347{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.347{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.347{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.347{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.347{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.347{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.347{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-2FD4-6227-9A05-000000003702}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.347{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2FD4-6227-9A05-000000003702}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.348{DCBFC465-2FD4-6227-9A05-000000003702}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.190{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17621651CBD1D0B4CA8763DB9F6BF6AD,SHA256=C079B44A569AD759D51731C9ECFD22BA6D3764B9B4B09E53501293F075F1F852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:37.737{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE60015C4B73AA73D5F29BAF0FB4878C,SHA256=21100B5D75C685D20D0CF0051200C5D92022117BFA43A789E84154CC489BEDAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:37.408{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2AB08AAE32EE41DE2DF2D09CD672B38,SHA256=BE7B972E0DCE5C4D35DC5F7295750657C7EF89D63CFBCEA9A0D1A2DE9DAE22AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:37.378{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7317717D4848311DC96B8BCB7A55409,SHA256=2101B2EE2BCA537D5130E63E6093F8AD24B1DD3514DD0A8076D11962355BD948,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:37.050{DCBFC465-2FD4-6227-9B05-000000003702}9643248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:38.753{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D65CF7434131AD8C4AC520488B61FA,SHA256=D6559B3DB5416472F257425A30180B65D69549FE247786F85E80DDB484573ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:38.445{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A51E3EA7BDE4404E79679B52ECE4AC,SHA256=DFBF0E752056BD2A4AC2E9F4823966C31FA444CB4BA1A8B18C836D8F2B535D8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:36.398{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50490-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000019626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:38.222{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-2FD6-6227-9C05-000000003702}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:38.222{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:38.222{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:38.222{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:38.222{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:38.222{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:38.222{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:38.222{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:38.222{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:38.222{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:38.222{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-2FD6-6227-9C05-000000003702}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:38.222{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-2FD6-6227-9C05-000000003702}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:38.222{DCBFC465-2FD6-6227-9C05-000000003702}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:39.753{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950BD3F1A66238B604073A807CBE6393,SHA256=D429AF43C963FEDEA640A5338132CC72E44763226A15974371E6707D4C597A44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:39.475{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B37AF10936B06DCFD9EBA0840694E36,SHA256=65605CBEDCFC3C0F7129DB96EADA4ED7AA2AAEC8F4299C88171D1FA9B7DEA3FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:39.237{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33906A395BB9BDB5EF1F5DB7B2812DF2,SHA256=042F38BE4C6872EED071DBB9E4DB4D0CB19A40FAFEB8BF9F4CF6D3BB36D2FA46,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000037486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:28:39.076{C64CDE3E-1CE6-6227-1100-000000003602}400C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d832d7-0x46920ead) 23542300x800000000000000019631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:40.769{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8039D62DB464CA2AEAAF32C9454CCB54,SHA256=68066335E84618F0972C688A88B6B13B30AA5C4DB2464D0D25EDE25F6BC26EC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:40.490{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF81EDDCBEA1A172DB6BCC8BC0990102,SHA256=6B27339B76F63C6AB6C6B780249FECC13AAAC61A933100C729F38A0C4FA66010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:41.800{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4536945A7BA1FBDDBB4A74D36FFF37FD,SHA256=EC95A48011BD39D06650505BC802EBAB7CAAAD96974A3B11D639C3125CD27924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:41.506{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED72D115BCC492566A3C964877652BA2,SHA256=939CFC6B32DCDC027759DFE19DD384203FB241F493030F4D91F27A950977B78B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:42.800{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB0FAB083BA02EDC115DF1F6BA31A813,SHA256=A39D73E37107EE1A6C9DCD1809FDF4301A02A64634BACDAF22F5B6D4F5F8B901,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:39.578{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51189-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:42.524{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D5DA159EA9C90B7B324190EF705756,SHA256=0EB51B7A728096DBFF94B7F7150A3F019B3218B12CB1D3586D079E4F631ED714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:43.815{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FCEC7C7E036FD6A6E645AD600EE7DB4,SHA256=66675BAC66208FF0345E5F4ACCD6DD58A687DCEA2189AC38C01C14D298802AB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:43.542{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB4256393E3D0A7767A8207327C3F1B,SHA256=E555A8D197388C810F7A10F7E94759937776F72FE24A1D4CF41F31E05336005E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:41.445{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50491-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:44.956{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB12C4309F008EB33613626AEFBEFA28,SHA256=CC534398A54F5585311C168BFD121EEB5A3FAA0A5ED634FBB5D61C250DA3BB6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:44.573{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B8AF13C2D13F924C8D417CA61BAF0C,SHA256=333A60494FA01B9E8108D0F8607E8927170B2EB9E7BD9893A704EC5C3D098EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:44.394{DCBFC465-204C-6227-9900-000000003702}3048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:44.422{C64CDE3E-1CE4-6227-0B00-000000003602}612820C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:44.422{C64CDE3E-1CE4-6227-0B00-000000003602}612820C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:45.956{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC4410EE8444879D19CF6C1E21466DF1,SHA256=F37CD3D6F7190391AB060A7502093BF6E30EF7E2D274555D821418446646B8D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:42.957{C64CDE3E-1CE6-6227-0D00-000000003602}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local51190-truefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local135epmap 354300x800000000000000037497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:42.957{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local51190-truefe80:0:0:0:245c:6a7:f89e:934dwin-dc-tcontreras-attack-range-462.attackrange.local135epmap 23542300x800000000000000037496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:45.588{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25992493FF17E22A81AF249A7B006F5C,SHA256=5AE5B3511A48236869F14B9437517F49A35AE6FC5B86633E448F67F2603C7E5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:43.633{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50492-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000037499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:46.602{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71181B5518CEF7ACFDAFE588F97E1351,SHA256=E69BEAB41A7B2F30DF8551D2CA6130D5DE6ADB5232F98F8F2B8F208E37529887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:47.605{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC0B334D4684F2B4F23E501F8D455E50,SHA256=D46B77391C4E3E0DE010ABAD7A105C85B75BBBC6D301ADFDBD4110BFACD61771,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:47.186{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C4E9D9F0B013047BAB34ACE67CDF1D,SHA256=50F62A12EA2BA4A3282BF285FA2A3BD34256121D6872F8A2C0892F08A946880C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:45.590{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51191-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:48.641{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19BDBFFC5EB7265F7068FF305745033C,SHA256=2E4C8863704446E5B52D3B67D2EA43ED7F38FCFA96F8A2F4BCD9531B99512A09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:48.248{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8FA52913CF9E6CAAC3E6B81D28915EC,SHA256=89E27520CD71559E56424200F0E78F9FEFE8567E9454E4D899A1975D8A9E688F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:47.362{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50493-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:49.264{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1785CE2E1F76A42E4E04D1EBC4E00F6D,SHA256=F5CD5DDDC9B18285ED6BCDD3BD6430AD46D61188159393D020F32CF6F6865C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.988{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8559231282BF8454A080F831E3A2030,SHA256=9292AD6F55FD8E6FA9D0085417AE42395F4AE2338A25E9CA19064E6B45283BB6,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000037566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:28:49.721{C64CDE3E-2FE1-6227-CE08-000000003602}4384C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyDocuments 10341000x800000000000000037565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.705{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FE1-6227-CE08-000000003602}4384C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.690{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.690{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.690{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2FE1-6227-CE08-000000003602}4384C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.690{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.690{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.690{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FE1-6227-CE08-000000003602}4384C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.690{C64CDE3E-2FE1-6227-CE08-000000003602}4384C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000037557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.674{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7287665F59088B6DD37DFC50D9F52F,SHA256=0838D508B3EC233CD1557609B401922A04CA26DF455E0046E6CEF1BE3D05E047,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000037556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:28:49.674{C64CDE3E-2FE1-6227-CD08-000000003602}5444C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab 10341000x800000000000000037555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.674{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FE1-6227-CD08-000000003602}5444C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.658{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.658{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.658{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.658{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.658{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2FE1-6227-CD08-000000003602}5444C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.658{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FE1-6227-CD08-000000003602}5444C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.668{C64CDE3E-2FE1-6227-CD08-000000003602}5444C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoThemesTab /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 12241200x800000000000000037547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:28:49.643{C64CDE3E-2FE1-6227-CC08-000000003602}3856C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarLockAll 10341000x800000000000000037546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.643{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FE1-6227-CC08-000000003602}3856C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.627{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.627{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.627{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2FE1-6227-CC08-000000003602}3856C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.627{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.627{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.627{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FE1-6227-CC08-000000003602}3856C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.638{C64CDE3E-2FE1-6227-CC08-000000003602}3856C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v TaskbarLockAll /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 12241200x800000000000000037538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:28:49.604{C64CDE3E-2FE1-6227-CB08-000000003602}5732C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff 10341000x800000000000000037537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.588{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FE1-6227-CB08-000000003602}5732C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.588{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.588{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.588{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.588{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.588{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2FE1-6227-CB08-000000003602}5732C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.572{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FE1-6227-CB08-000000003602}5732C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.586{C64CDE3E-2FE1-6227-CB08-000000003602}5732C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 12241200x800000000000000037529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:28:49.572{C64CDE3E-2FE1-6227-CA08-000000003602}5916C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu 10341000x800000000000000037528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.572{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FE1-6227-CA08-000000003602}5916C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.561{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.561{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.561{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.561{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.561{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2FE1-6227-CA08-000000003602}5916C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.561{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FE1-6227-CA08-000000003602}5916C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.568{C64CDE3E-2FE1-6227-CA08-000000003602}5916C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 12241200x800000000000000037520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:28:49.561{C64CDE3E-2FE1-6227-C908-000000003602}3724C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms 10341000x800000000000000037519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.541{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FE1-6227-C908-000000003602}3724C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.541{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.541{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.541{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.541{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.541{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2FE1-6227-C908-000000003602}3724C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.541{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FE1-6227-C908-000000003602}3724C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.547{C64CDE3E-2FE1-6227-C908-000000003602}3724C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 12241200x800000000000000037511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:28:49.525{C64CDE3E-2FE1-6227-C808-000000003602}1484C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar 10341000x800000000000000037510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.525{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FE1-6227-C808-000000003602}1484C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.525{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.525{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.525{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.525{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.525{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2FE1-6227-C808-000000003602}1484C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.525{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FE1-6227-C808-000000003602}1484C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:49.528{C64CDE3E-2FE1-6227-C808-000000003602}1484C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000019644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:50.483{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94A98BD943F4A87B458709D73E7748FD,SHA256=88FE433E6F50FB5B93C2B2017CE946BF543FD3212E0F265D7F5018B10932E164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:50.688{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3AB165ED31F53783B791E4E68A978E,SHA256=8750B5CC25A5281A96E19B1246CF5DA130AB92A3BCD860D82063888EB4C2B1BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:50.541{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=922BB29101EACFA04D5DDEDAE0446E49,SHA256=3AA99A0BAC5A7FE5CAC68D5B080CB57F2CC70FC8FDD115ECB9D357F96E0DC2B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:50.541{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B5A1C398801B4880CAD530C71D3A62C,SHA256=D38719B4B56DC3BC5190DA495274EC802546687F7554FA1B59C312736AFCD21E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:51.733{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0F388DC7A8FC9921D068A82EE85BD32,SHA256=7595B167E3C8FEE1AC7908DA2BDF896CB2A1FAA714D2DB9EEB1B5CBAC6E9D728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:51.706{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59B6FF8BD78FB69074A05781246E9DD,SHA256=2A093EC59D3FAE9C915F7F37786DDCB3CCB8A4155666CB26645F05066A6C81A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:52.764{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D9FB09886E5EA54F21C6B89CCC6D6F,SHA256=1D6D91D9A497B31B7A94A776CCBDAEC642698A700DB7132872803FD20AF8B023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:52.720{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9DBC301229E18A75C87E95B92F4C191,SHA256=2D3D31CF273E83F743FDAB946715DA9368DBBCA24569B0168C8274ED6BD878B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:53.873{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7490770170E1FC280E1747FE53BA25,SHA256=A9D86C03B4845178E5DEEE5DCB18CF90D7E20DAEE3CD3B6AB3513A510DBF494B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:50.590{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51192-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:53.730{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E5D428611812995D8377CEC22F4EB1,SHA256=95CFDD29E93D55C53DD7A2CB28697C42E041462B97FBCB24398618F9251657D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:53.049{C64CDE3E-1CE6-6227-1000-000000003602}420NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7E3550E9BD951C6D1AD7566FB743625F,SHA256=9337656D39ACA76E07C4808D20E030B4E29AB1B542AF9BB1CFBCB11979142631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:54.764{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43DA29250D35484C654FD184DF0FD17E,SHA256=D48446C6043A552169E962B5B9AF4A93B76EEB6A9B810D4CF6BF48D39B8A84DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:55.764{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8501AE19FD6490D79BA4092F4F7885,SHA256=0BC105BAC72EB4EF1FB25E4EDEDFE0592657E79930F957B444740CAAC4247F9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:55.108{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417E81B921F38AEDB303052022BD7854,SHA256=8782645CA5AC543DE4B4EA2855F57F48E30246D03CC392DDFD64CA0BC3963D2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:56.780{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F68444585D0DB22A3A325295E2B7F8C7,SHA256=B2A7850442A7E39EC4C1DC184424761EC4740FD1FE7B9099F3E800A99D47305B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:56.108{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1ED183450087034E734F70E4D0508E7,SHA256=F0641D85CA0157B89372774B81D7CA7399F4C8DF1C46594A199770F152A9309A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000037582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:28:56.580{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6FC0DF5C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6FC0DF5C-0000-0000-0000-100000000000.XML 13241300x800000000000000037581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:28:56.580{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\DB477B57-8AB7-41B7-868E-2991B0EC5E6D\Config SourceDWORD (0x00000001) 13241300x800000000000000037580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:28:56.580{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\DB477B57-8AB7-41B7-868E-2991B0EC5E6D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_DB477B57-8AB7-41B7-868E-2991B0EC5E6D.XML 10341000x800000000000000037579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:56.564{C64CDE3E-1CE4-6227-0B00-000000003602}612820C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:56.564{C64CDE3E-1CE4-6227-0B00-000000003602}612820C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000019649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:53.394{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50494-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:57.155{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C122AE571D4F55637B15932BE31B715,SHA256=BD0F8EE5C99FEE27F98E823C841E12B316D03276E1C99C9CC51C479541F2ABF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:57.810{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BC491F2ABA51E551869B5545F2EEF78,SHA256=067172F45814A594912F036E46411DD989FBE547899FA2C177FCBADF5A122D92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:57.448{C64CDE3E-1CE4-6227-0B00-000000003602}612820C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:57.432{C64CDE3E-1CE4-6227-0B00-000000003602}612820C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:57.432{C64CDE3E-1CE4-6227-0B00-000000003602}612820C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:57.180{C64CDE3E-1CF7-6227-2B00-000000003602}2896NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:58.389{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2002E286B75300780720A2EFA09E41C6,SHA256=C9191A32B776FCF43E77532627AD41CC7D9D4A5C5FCACCB0EAF913BE9DA9371B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.898{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1791E5227777AFFE781C2E146C565A1E,SHA256=F915D2A06592CAC9DE3FDE7D05B80F0C103C722DE9F84D902F89FE868DE019CD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000037638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:28:58.531{C64CDE3E-2FEA-6227-D308-000000003602}2812C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoColorChoiceDWORD (0x00000001) 10341000x800000000000000037637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.495{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FEA-6227-D308-000000003602}2812C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.479{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.479{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.464{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2FEA-6227-D308-000000003602}2812C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.464{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.464{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.464{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FEA-6227-D308-000000003602}2812C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.477{C64CDE3E-2FEA-6227-D308-000000003602}2812C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoColorChoice /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000037629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.464{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=929F154B7E997A2F070C12FB2768F5B7,SHA256=F90BD2028FCAA7F1288F7A39C02D928B51B501B312E394E31D21EE1199275958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.448{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=922BB29101EACFA04D5DDEDAE0446E49,SHA256=3AA99A0BAC5A7FE5CAC68D5B080CB57F2CC70FC8FDD115ECB9D357F96E0DC2B7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000037627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:28:58.432{C64CDE3E-2FEA-6227-D208-000000003602}6568C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispAppearancePageDWORD (0x00000001) 10341000x800000000000000037626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.426{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FEA-6227-D208-000000003602}6568C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.395{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2FEA-6227-D208-000000003602}6568C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.395{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.395{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.395{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.395{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.395{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FEA-6227-D208-000000003602}6568C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.401{C64CDE3E-2FEA-6227-D208-000000003602}6568C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispAppearancePage /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000037618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:28:58.379{C64CDE3E-2FEA-6227-D108-000000003602}5884C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstationDWORD (0x00000001) 10341000x800000000000000037617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.379{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FEA-6227-D108-000000003602}5884C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.363{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.363{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.363{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.363{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.363{C64CDE3E-200C-6227-FA01-000000003602}37964832C:\Windows\system32\csrss.exe{C64CDE3E-2FEA-6227-D108-000000003602}5884C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.363{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FEA-6227-D108-000000003602}5884C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.376{C64CDE3E-2FEA-6227-D108-000000003602}5884C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000037609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:28:58.348{C64CDE3E-2FEA-6227-D008-000000003602}4588C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePasswordDWORD (0x00000001) 10341000x800000000000000037608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.332{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FEA-6227-D008-000000003602}4588C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.332{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.332{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.332{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.332{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.332{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2FEA-6227-D008-000000003602}4588C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.332{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FEA-6227-D008-000000003602}4588C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.338{C64CDE3E-2FEA-6227-D008-000000003602}4588C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 13241300x800000000000000037600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-SetValue2022-03-08 10:28:58.331{C64CDE3E-2FEA-6227-CF08-000000003602}1632C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoVisualStyleChoiceDWORD (0x00000001) 10341000x800000000000000037599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.310{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FEA-6227-CF08-000000003602}1632C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.310{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.310{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.310{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.310{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.310{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2FEA-6227-CF08-000000003602}1632C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.310{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FEA-6227-CF08-000000003602}1632C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.314{C64CDE3E-2FEA-6227-CF08-000000003602}1632C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoVisualStyleChoice /t REG_DWORD /d 1 /fC:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000037591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.294{C64CDE3E-1CE4-6227-0B00-000000003602}612660C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.294{C64CDE3E-1CE4-6227-0B00-000000003602}612660C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:58.294{C64CDE3E-1CE4-6227-0B00-000000003602}612660C:\Windows\system32\lsass.exe{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:59.623{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C42D352109B6A13119BE18379149DA81,SHA256=4C766445C12E9BEFFF929BDB7B0ADCBFC89FC9FCDF8C87FCCE6A30791B907FD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:59.913{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0593077072D0F1DC5366BB738182239F,SHA256=B8ABB0913658ACC6DAB76F4ED7D089F06132723F309B3102736C10161E224B1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:59.467{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=929F154B7E997A2F070C12FB2768F5B7,SHA256=F90BD2028FCAA7F1288F7A39C02D928B51B501B312E394E31D21EE1199275958,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:55.960{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51194-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000037641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:55.960{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51194-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000037640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:55.713{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51193-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000019654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:00.764{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9360EF2E57B23108296C519BEA56DA48,SHA256=77E769F10A679AF0784A531C3CD87B44F47CAD59F63D28241C7056F509A5964C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:00.914{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA06DF4FA0C04FAD0E3139781E89A17B,SHA256=3EDC8EE7C0CC1E11269EB81BC416441F84F858724F6C12E66CEAE2F0115B3A6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:56.828{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51196-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000037646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:56.828{C64CDE3E-1CF7-6227-2F00-000000003602}1652C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51196-false10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000037645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:28:56.597{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51195-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:01.795{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F9BAFFD3DCC31D5BA8259BD2E9AD32C,SHA256=9FBF183163929CB252C768A22B10AB34AFD0AC5DC4AD40781DDEADC2A9F6AB26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:01.921{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3007093EDD352EB394002C3B63CB92DE,SHA256=0D977EC8E644E9900BC8EA375D44A048FFAB1CD2BBDC79E7AB9B388D759538AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:28:58.503{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50495-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:02.939{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AFD49A150362F739A939AF1DA91A7E2,SHA256=11F3B52A71B3D1FC64D7DA6A923EEC4AABD97C9CB5B2F235EFC866413E7BB320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:03.957{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9AD1CA577B17CDEDEAE1E30A0271738,SHA256=51871B016AED62749192CD941E21D22D787CC61825304DE21B301AA9C4297056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:03.030{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DB012BCF18BC134FBAC59ABFD14E23C,SHA256=860641197EA8D396F2563F1C54626575258D3CD22D0B8D387973E086F6082BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:04.957{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899E77377654817C807329FFDB9F188C,SHA256=234D6FF087801D7BB2ABEE387F65FB7935BEF5F4FA4A2A9F663E3EC346EE1A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:04.264{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C22B1790C6692A1DDDACBEEB3554F81,SHA256=963CF1C0F884516D7707176A818D3A0160C3350FE54C68033EE7434C4704F578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:05.973{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD0569B4C3BD15B05BCF774D0E866F0,SHA256=ADBFB134AC396B7D46EB1C342B4B0ACC2671CD1FE88456EC6CC70365BB322347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:05.342{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=206C91FC81BCFC081D37711ACFEDD1E8,SHA256=C2CF47E5AC8EEB1EE34CEC427EEADBF143FC646A6C2B7B967F74924CEBE68535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:06.358{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045D8E7C1707476B0268D7F4CB87AA07,SHA256=3D13607072B8FB761A088B51ED90B57B6EB786D1E20D4CD0014F1F9C94B70A03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:06.989{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34C45AD1B3698D881A3F22D750E7AEE1,SHA256=1B06A33E8EF4FA68C9126F84D57F26E32B1CF5EB57661652C2EB3347D576F3B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:01.706{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51197-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000019662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:04.316{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50496-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:07.405{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D801F539A4C68C209A6BBA3C9E8080C4,SHA256=54F1B70E6CEAB4CBAD88C4B792BF63EDD45D35198D11B2B3BCC523E243E651C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:08.577{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AB75131B4983FEDAF82596A1CE102E,SHA256=EA36FFAFD0462B8189E6BE00DD0151F556F366E0F7A1E479852C959B4996B1E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:08.003{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B189EA36A777742E9D8AE40BFAE2D3FF,SHA256=06536A4178315199B7BEDEC8FDCB0EF213E793C9E286FE4B390EC57CEFB070E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:09.608{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911B407F5A22A2DD797721E504AD8A45,SHA256=35B07BA2A5462B17E0F50BF38333F904A4E39693DDDB46158A9C3C0D2AE319CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:09.238{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\glean\db\data.safe.binMD5=CD89CD2E4263C315C4ACBD08433EB16E,SHA256=078173C4A5FF8ECDE519C963D930A8C274FD8D7B091F25C665097441B026041F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:09.004{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F614CD7BEB4855E8373D4C7FDAE8BE21,SHA256=98D7FC39A8314BB946C6581B1520DB9D1A707977922B559FBC5050C1463FE210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:10.608{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B15130F5385852F7B85D93DDAE2AEA,SHA256=222EFBBEE4D9055C2689F560DD818E9FB68C7485C74E69721EB14E24BA9E588A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:10.005{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A9B607EF77F5703807F049DED260A5C,SHA256=5FF4D3E982380F5208EF41F830A85AAD3962464DA354B3C72DAD7E15F0C1872A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:09.504{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50497-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:11.623{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D678228443C193E784CEDD80FFF16238,SHA256=5F307DB2CA9A0137ECD6108A3DD6756DF63AC420C8701B814CB8D39FB2FE127C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:07.736{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51198-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:11.125{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\respondent-20220308090810-078MD5=AC296348C12F899BF0F527F2984A2DD1,SHA256=A35560BD23E94F5C9C2AA7752B988DA786BB94608EDDAF755EB3DCD02CE684A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:11.020{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9764F0E44A68DACAC7FF8250FF37433,SHA256=AA7AA7CDAE8721A22948EAB77594C2D6A777CFE06111B66A2EA64714BF3CFE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:12.639{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F41ED8AD32078BD6647C6B5016890C9,SHA256=91C4E843D7190DF890E98544C60DE457EF81C5B4CC43176261AA5C8EE0F3E971,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:12.137{C64CDE3E-1CF7-6227-2900-000000003602}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0dfe1b371cfc2186e\channels\health\surveyor-20220308090808-079MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:12.039{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0766FDFA182D90320CC3BF2354F1B6,SHA256=BE99D1B35756A833FB688AFE95861CAD5552030586B5DCA589083E78B5FCA25A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:13.639{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=849671DA75B19A7C53CF869EC64089A7,SHA256=AA9C06150F8D8EC7A37F4E5C0462AA45DA96030CC5AE0FA17661228E30CA6A81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:13.057{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E72C300EF87A4C2BD6E1516472BC461,SHA256=3986E6CC48A90A9972961AFDA876B75A4A1A1D429E45EEB6904DC636856CE125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:14.655{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4168266CC02E1F04794D2EB2C56EAD24,SHA256=87DA85438E05551718E5DDB544E3C8EA6472C3C2652449637BA189CC6323B372,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000037670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:14.705{C64CDE3E-2A1A-6227-1807-000000003602}1268C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\SiteSecurityServiceState.txt2022-03-08 10:09:14.605 23542300x800000000000000037669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:14.705{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\SiteSecurityServiceState.txtMD5=08E28BD1910423348B0E14CC3B1406CF,SHA256=7E2426CE8273E69976D298E42E2795973D4A54B5B75627B1490ABF264450BCC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:14.273{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\glean\db\data.safe.binMD5=414FCA813385973C96D1B800997A5FBC,SHA256=CD3E0A383016E63861CF020F83149D21C653A1B09C82E1F1E150F62033011A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:14.257{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\glean\db\data.safe.binMD5=52043D81333FC49308045DD222B5556C,SHA256=FE6041500EF1C1726664064932A408FF869707D13C1292863911E1732D2A251D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:14.057{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4278CF1D07B3548C678B8A02460A7003,SHA256=0AA1A5146CEFE8691CED286FAD198D4B43042C520D508EF8BAD816A03743B57D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:15.655{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF108273F5DE232EFA111E4F9A323964,SHA256=AF79D983164309CB9AB2273EBF57FFEFFCAF6F247CB7027BBC1BB197663E3C54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:15.072{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2301006EE8DE0C2777DAF2D7809D5CCF,SHA256=D79A6C597C35F8099DD8F70C293F060CD71104CC423F73A13FA0E56D3CD15E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:16.655{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B8F93923DEA7555753C75B62F7ACA45,SHA256=062DF09B64A3F8D618C65456A6841166C0C790B124A60DE4CECC49989FEEEF0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:16.087{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A48DC57401975C4124CFA71CC8BAE15,SHA256=DBDD87A116DFA07468F9D2E70AF774E19DF43764F9F67FE6786A12E998819DF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:15.519{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50498-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:17.655{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66FD573C6E8A87E458F9263D1B8760B9,SHA256=C169B527FDF6F1340E98687A0C9D383AC2A9D4C3BBA7F1486F6DFBBE0ABC17A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:13.604{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51199-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:17.102{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6C7FC5D88DDDAC04B4CDC8737910FF,SHA256=52006BE3849DF21F48E463E4FD3E6FCECE805B05158EE760D23A2F12BEC1F90D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:18.671{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84937EA3491254820AD912395AF8019D,SHA256=86D403C1C31897B684361BD14F4CD983FFF6DF0E4CADE522E980B2DD79336625,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000037720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:29:18.402{C64CDE3E-2FFE-6227-D808-000000003602}5688C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoColorChoice 10341000x800000000000000037719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.402{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.402{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.402{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FFE-6227-D808-000000003602}5688C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.402{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.402{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.402{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2FFE-6227-D808-000000003602}5688C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.386{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FFE-6227-D808-000000003602}5688C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.401{C64CDE3E-2FFE-6227-D808-000000003602}5688C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoColorChoice /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 12241200x800000000000000037711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:29:18.371{C64CDE3E-2FFE-6227-D708-000000003602}4244C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispAppearancePage 10341000x800000000000000037710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.355{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FFE-6227-D708-000000003602}4244C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.355{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.355{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.339{C64CDE3E-200C-6227-FA01-000000003602}37966396C:\Windows\system32\csrss.exe{C64CDE3E-2FFE-6227-D708-000000003602}4244C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.339{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.339{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.339{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FFE-6227-D708-000000003602}4244C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.351{C64CDE3E-2FFE-6227-D708-000000003602}4244C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispAppearancePage /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 12241200x800000000000000037702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:29:18.317{C64CDE3E-2FFE-6227-D608-000000003602}3740C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation 10341000x800000000000000037701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.305{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FFE-6227-D608-000000003602}3740C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.270{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.270{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.270{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.270{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.270{C64CDE3E-200C-6227-FA01-000000003602}37964632C:\Windows\system32\csrss.exe{C64CDE3E-2FFE-6227-D608-000000003602}3740C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.270{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FFE-6227-D608-000000003602}3740C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.282{C64CDE3E-2FFE-6227-D608-000000003602}3740C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 12241200x800000000000000037693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:29:18.239{C64CDE3E-2FFE-6227-D508-000000003602}5392C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword 10341000x800000000000000037692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.239{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FFE-6227-D508-000000003602}5392C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.239{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.239{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.239{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.239{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.239{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2FFE-6227-D508-000000003602}5392C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.239{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FFE-6227-D508-000000003602}5392C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.247{C64CDE3E-2FFE-6227-D508-000000003602}5392C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 12241200x800000000000000037684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-DeleteValue2022-03-08 10:29:18.239{C64CDE3E-2FFE-6227-D408-000000003602}5996C:\Windows\system32\reg.exeHKU\S-1-5-21-3798679359-297722169-3327854505-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoVisualStyleChoice 10341000x800000000000000037683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.237{C64CDE3E-2DC6-6227-CE07-000000003602}44684456C:\Windows\system32\conhost.exe{C64CDE3E-2FFE-6227-D408-000000003602}5996C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.217{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.217{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.217{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.217{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.217{C64CDE3E-200C-6227-FA01-000000003602}37966392C:\Windows\system32\csrss.exe{C64CDE3E-2FFE-6227-D408-000000003602}5996C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.217{C64CDE3E-2DC6-6227-CD07-000000003602}49323044C:\Windows\system32\cmd.exe{C64CDE3E-2FFE-6227-D408-000000003602}5996C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.228{C64CDE3E-2FFE-6227-D408-000000003602}5996C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoVisualStyleChoice /f C:\Temp\ATTACKRANGE\Administrator{C64CDE3E-200F-6227-41B6-150000000000}0x15b6412HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{C64CDE3E-2DC6-6227-CD07-000000003602}4932C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000037675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.117{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25BFC8C02678DE576FB3C62BB0E780A8,SHA256=8FFB28EA8BE02EE3AEF7916590364C39998CB4E08C750BFD32A1EF384301B2EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:18.424{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\respondent-20220308092036-066MD5=AD989BA5FC8211C68DEB145594DF29B5,SHA256=A92C9E9F939B5FA1DAF2D9D45D4066E44A16133766F98754DF452EC8E38921ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:19.685{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E360B82F9067174E44BA710D9C0704DF,SHA256=2E5AE4AE6A68C4E942CE705283095BC30A0A7A51E0E8CFC4B278138723BF7BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:19.371{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F0127B0F2611B0532BA94BE27E9A914,SHA256=AD069226E9EA8B67F7DE15A05ABE01C15880665A55E50FFE82A194D070D61CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:19.371{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8C365F919C36451D39544673B6FECC2,SHA256=2183BD154B2200D9A196B0793ECC86CDF57D7D69E97794CA651A71D178FEEB09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:19.371{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48DADDF5C8195E73956B63EF23C053F3,SHA256=55958A11EE3AFF76CC82632760D422D4F6F45A0911C08C30CC234A7E3ECE7655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:19.438{DCBFC465-1FE1-6227-1E00-000000003702}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-015ba7764a251f6be\channels\health\surveyor-20220308092033-067MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:20.766{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BCAA9495A4D51FAAD833471290734E,SHA256=7322B5533787E632CA38B2826E06335FDBA68B564E19AB201958DBEB538B13F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:20.373{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F21C54FB4B3FFABB49E0B7201FE764,SHA256=2D5BD61FD9FD3664AF09BE035F671FD7DC0D77020A8EB6DE4FEE1D3D1EEDFF64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:20.341{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-3000-6227-D908-000000003602}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:20.339{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:20.339{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:20.339{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:20.338{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:20.338{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-3000-6227-D908-000000003602}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:20.338{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-3000-6227-D908-000000003602}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:20.337{C64CDE3E-3000-6227-D908-000000003602}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:21.766{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C66EADB787FE32612E2CB04E2C7757,SHA256=78DB9346474223C956A1D6D4A21C0DB474CE20690DCE30DE81A331AE2A59A796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:21.389{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D37153CC4DFBA6B5CC60E083E7F0D1F,SHA256=6EB38E2E3F6F9EBEA83561DC6593CEA8F69222DCDA92B55C9EE5CB399F072D3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:21.389{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CFB7BD00CA2B461DD3A67B899F95C90,SHA256=431A6586DF7A82ED2D0BCF401C0CC35C1D0B35EF222370708A6CB32CDC6A1224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:21.373{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F0127B0F2611B0532BA94BE27E9A914,SHA256=AD069226E9EA8B67F7DE15A05ABE01C15880665A55E50FFE82A194D070D61CE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:21.204{C64CDE3E-3001-6227-DA08-000000003602}42765056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:21.020{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-3001-6227-DA08-000000003602}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:21.020{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:21.020{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:21.020{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:21.020{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:21.020{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-3001-6227-DA08-000000003602}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:21.020{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-3001-6227-DA08-000000003602}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:21.021{C64CDE3E-3001-6227-DA08-000000003602}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:22.766{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CCCBC125B3B354939853A9477C98394,SHA256=FD01E7F4495DB834B8976FCC7F6725AD195D529632CAE340C6E9390F9B2C944C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:22.719{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-3002-6227-DB08-000000003602}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:22.719{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:22.719{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:22.719{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:22.719{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:22.719{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-3002-6227-DB08-000000003602}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:22.719{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-3002-6227-DB08-000000003602}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:22.720{C64CDE3E-3002-6227-DB08-000000003602}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:22.404{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BD20EC740BE44CCEFA4424D1A5059E8,SHA256=F220B841F1BF24E3DB1C9B3A5889CAAFB22FDA32D0977EB992D1E0BE17E546B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:18.651{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51200-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:23.906{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BF5E091DE301AC8FE6B73E41C3A29CE,SHA256=BFBFCE86F3C1E48A4AA17CEB55521FADBD6911F5B26EAEF4224C52CC76CA7B51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:23.872{C64CDE3E-3003-6227-DC08-000000003602}48645464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:23.743{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D67AD4E4807A8405F05651C5AF8DF3E6,SHA256=F88219DC29DEE6BF60002959216E0E86D8DA635FCD030733888F5205AA9FE6DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:23.639{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-3003-6227-DC08-000000003602}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:23.637{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:23.637{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:23.636{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-3003-6227-DC08-000000003602}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:23.636{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:23.636{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:23.636{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-3003-6227-DC08-000000003602}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:23.635{C64CDE3E-3003-6227-DC08-000000003602}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:23.419{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336A8DAE6123EEFDB641C48383CEB8B4,SHA256=F6784842B7985C05245CD2E9317CEA5931805DE94E0C7E3AC012D9259C78C7F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:24.922{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA8F04E11554A41E2E8CB32848CD732A,SHA256=F9CBF2740458FED3B215C350ACA14F33EFD3F261A47694C2E36EF40EA60ED34E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:24.420{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3F0EBFC4129E2B371DA433BFA1DC44,SHA256=19F96481315F4F6AF0CD7EAB6D0FA23257A6D07243A35E5C76809103BF620E2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:21.442{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50499-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000037769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:21.835{C64CDE3E-1CE4-6227-0B00-000000003602}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51201-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 354300x800000000000000037768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:21.835{C64CDE3E-1CF7-6227-2800-000000003602}2856C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local51201-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-462.attackrange.local389ldap 23542300x800000000000000037767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:25.438{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3872BA0805D733F6FC0F350E36A5060C,SHA256=89169F51EBDD37313438AEA5445602CA98B6216C596C57201AE3215523F52A8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:26.141{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73FBD1C7ABB49C646B90B7087D964E84,SHA256=5A00B2DA611033E8F37808C89420D6EB03913C46FC5DBEB42EE6B09867FCFFBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:26.952{C64CDE3E-3006-6227-DE08-000000003602}6060312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:26.673{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-3006-6227-DE08-000000003602}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:26.673{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:26.673{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:26.673{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:26.673{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:26.673{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-3006-6227-DE08-000000003602}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:26.673{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-3006-6227-DE08-000000003602}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:26.674{C64CDE3E-3006-6227-DE08-000000003602}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:26.457{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16EC09FB74E91A71A36C799E2687D3B1,SHA256=B81D33F45A05EFE30908DE14652B523102E90B7E5915C4DE12E5A9ADA2F5B508,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:26.404{C64CDE3E-3006-6227-DD08-000000003602}27006576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:26.088{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-3006-6227-DD08-000000003602}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:26.088{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:26.088{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:26.088{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:26.088{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:26.088{C64CDE3E-1CE4-6227-0500-000000003602}396512C:\Windows\system32\csrss.exe{C64CDE3E-3006-6227-DD08-000000003602}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:26.088{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-3006-6227-DD08-000000003602}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:26.089{C64CDE3E-3006-6227-DD08-000000003602}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:27.331{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DADA374DFB50F6EC96061E779807C0ED,SHA256=5F154A42A7C20BCD4FC4DDFECC6A469B1D3F9933E8C26B1F8D6B8624DE013BA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:27.503{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=143CAC5E0367AF1E75442585D9B1D453,SHA256=DEC6A723C9FDA158B0E5A437FB2A3A37050D218412602FFCABA84C092AE2D1E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:27.284{C64CDE3E-1CF9-6227-3500-000000003602}32643284C:\Windows\system32\conhost.exe{C64CDE3E-3007-6227-DF08-000000003602}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:27.284{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:27.284{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:27.284{C64CDE3E-1CE4-6227-0500-000000003602}396384C:\Windows\system32\csrss.exe{C64CDE3E-3007-6227-DF08-000000003602}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:27.284{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:27.284{C64CDE3E-1CE6-6227-0C00-000000003602}8246792C:\Windows\system32\svchost.exe{C64CDE3E-1CF7-6227-2C00-000000003602}3028C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:27.284{C64CDE3E-1CF7-6227-2B00-000000003602}28962348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C64CDE3E-3007-6227-DF08-000000003602}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:27.285{C64CDE3E-3007-6227-DF08-000000003602}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C64CDE3E-1CE4-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C64CDE3E-1CF7-6227-2B00-000000003602}2896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:27.230{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=AC2C8D8B1BF755276DC6458778634844,SHA256=FEDEAA49C71FF95844948ACDD3188E3DF2F08CD44B945E93BE70949C7F83026F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:27.115{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=812DF39AC15645FCDF35E55A92CE6CC6,SHA256=CB3DF137531577C52D3EEC6A35E1E5FA7A747079C8CABD20EBEBEEA4464C5596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:28.472{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F86BBEC99BCFBA1FD04FB4221C96216,SHA256=7E7A6CC799873FF5EEAD6CAA4AAE155A9772E6845B676D9AB539A61DC30A6A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:28.528{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6478E955C731E1F7E4FDEBA1592939D4,SHA256=171F78A5F344A8AB39C3A65B3D0FC11DA25194FC985101EBEC7717CBA34024AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:28.297{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F25BFE456FBBDF4CFF4D1A124D66D7F2,SHA256=E99213368116CCCECAECD71D904915E1923A3907032F739B323566C7DF2E49CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:24.651{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51202-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:29.472{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3AC00E4EF1269E73BC7A848724AFFC,SHA256=6259EFFC479D0316AB020D91B3831098AA6B3B5F7FCFC9ACAE090DB337013B3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:29.529{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E284DE7900512F097FB9F87E1CFFF25,SHA256=768B89E2B0E9C7259BA87E7B43181F540007BEE99628A670ED5D203650608EDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:29.362{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\glean\db\data.safe.binMD5=346F6CE146CB05AFB3864C72ADD7F6A2,SHA256=6931B7F9973FB396B9D38A6210E6F736B0D30F6BDA7F5EB1C5BA991FF42ECF38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:30.472{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C640F9528E07CD682885CB781D2497C,SHA256=CA9BE8684BCC107793A4B4F6CB8119951BC2B9D7759941785C6AA39DACC5D2F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:30.562{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72DBAF3B8178E7FF01F74B913590613,SHA256=9C5876CD89F56687C6FF8512C5F53B03BE89AF8A72505F60AD738FEFD1F05BB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:27.477{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50500-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:31.487{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E69DAAC2338094E40072CB808658504,SHA256=249DEA1F161321DBB577AF41AF7B41BEA5DACCAC13A17E6315D84F724457B241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:31.580{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C07A261308EDF922DEBE5E688331AAD,SHA256=93255180AE5CE82280E4DB4B91F696533DEA1650CAED2DA6325CDBE31E54CE62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:32.487{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162D2F6327AB2B56298D02A7758AEC91,SHA256=AB3F1DBB46EE557957787BD06A542CAC289B41FEC7709E89AD97D87DE180F470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:32.595{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16F735BB82E0BD27A635D612CC04B3D1,SHA256=D4FF9CEAD6412BB4F902CA2DC17568C9E3C38A280C171B7809FC8AFD94CAE64F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:33.626{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3870EEE7B5549B40996E55947F2E686F,SHA256=597C365447027E81A402035FDB7D29EB8AB9851BAB8A6BFAA681F7C20A4AB1C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.816{DCBFC465-300D-6227-9E05-000000003702}21963580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.612{DCBFC465-1FE0-6227-1200-000000003702}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D4BC9F40B2ADE87175CABC89B6F8752D,SHA256=165280C1C95AFC19D9FF0B53630C65FDC5FA02119093269EF0CBEB9922F212CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.581{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-300D-6227-9E05-000000003702}2196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.581{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.581{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.581{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.581{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.581{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.581{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.581{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.581{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.581{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.581{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-300D-6227-9E05-000000003702}2196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.581{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-300D-6227-9E05-000000003702}2196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.582{DCBFC465-300D-6227-9E05-000000003702}2196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.487{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4CAD484D50153985AE8BC45571640A,SHA256=81F0ACEC356A1496D64937C02597A5D041BC66DB6B3CD908D4D9594223ADC3AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.081{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-300D-6227-9D05-000000003702}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.081{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.081{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.081{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.081{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.081{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.081{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.081{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.081{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.081{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.081{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-300D-6227-9D05-000000003702}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.081{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-300D-6227-9D05-000000003702}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.082{DCBFC465-300D-6227-9D05-000000003702}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000037808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:30.673{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51203-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:34.503{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D33596605A40424C174F390A456150A,SHA256=5D589535C3EED5950862F7C712629BB14512D3DA70CD8D09B15C9D5F0C6A19B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:34.641{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73559E903F17CB1D1E4C5A24A517681,SHA256=ED066BC04A4A59233DF13875041D90A7C5FD1DC44F1D6FA8C715D19799A90BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:34.378{C64CDE3E-2A1A-6227-1807-000000003602}1268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qh3soqs3.default-release\datareporting\glean\db\data.safe.binMD5=F1AD94025312E76C574656F553BA8703,SHA256=A820B661CBB01C118A581D245F2537D7793DE13E3CD621153107B4D0378D1C5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:34.331{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF7A71BEE36EB312E3090C9F1167BE28,SHA256=F75655AD5CF61F00A8FE222C7661998E1CF178C185C4CF18D41E7BBB34479BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:34.331{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A815829B7739151862B92434978B559D,SHA256=37BBD983D9154812B16B746C619A8476E6AC8B4F2F988B334510DC9766F4FCF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.878{DCBFC465-300F-6227-A005-000000003702}3562024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:35.663{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB70127D0A34D6374F65D1B937028F9,SHA256=FFAF2A2D3F64C50DD282EE21E78822FF0F20E0065A3ACED6F1F0A1E5844EBFDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.644{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-300F-6227-A005-000000003702}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.644{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.644{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.644{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.644{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.644{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.644{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.644{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.644{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.644{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-300F-6227-A005-000000003702}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.644{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.644{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-300F-6227-A005-000000003702}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.645{DCBFC465-300F-6227-A005-000000003702}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000019739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:33.367{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50501-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000019738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.394{DCBFC465-300F-6227-9F05-000000003702}3556624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.144{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-300F-6227-9F05-000000003702}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.144{DCBFC465-1FDD-6227-0500-000000003702}4041684C:\Windows\system32\csrss.exe{DCBFC465-300F-6227-9F05-000000003702}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.144{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-300F-6227-9F05-000000003702}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:35.145{DCBFC465-300F-6227-9F05-000000003702}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:36.693{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076EBCF1D8A7732AFF5823AB94877777,SHA256=154B0C6DE5E223D605A40EA2D919F43C49786BA9E1FBA60985A05A7B88DE25C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.904{DCBFC465-3010-6227-A205-000000003702}37043068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.659{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-3010-6227-A205-000000003702}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.659{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.659{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.659{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.659{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.659{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.659{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.659{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.659{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.659{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.659{DCBFC465-1FDD-6227-0500-000000003702}404516C:\Windows\system32\csrss.exe{DCBFC465-3010-6227-A205-000000003702}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.659{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-3010-6227-A205-000000003702}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.660{DCBFC465-3010-6227-A205-000000003702}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.177{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB759303FCC590B5D283A2ABF16F77F8,SHA256=AB2F80BD4E66F00AC95B18D3EA7FA915980E19D8034084A2B01E4505138EA721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.177{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF7A71BEE36EB312E3090C9F1167BE28,SHA256=F75655AD5CF61F00A8FE222C7661998E1CF178C185C4CF18D41E7BBB34479BF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.144{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-3010-6227-A105-000000003702}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.144{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.144{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-3010-6227-A105-000000003702}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.144{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-3010-6227-A105-000000003702}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:36.145{DCBFC465-3010-6227-A105-000000003702}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:37.709{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC1592DF19273313FD7BA175B1843DCB,SHA256=112DBFF8052241BCE257782BD030BDD3832D0CA8DDA35396A2CBA5603C39A3DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:37.331{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39870881FA95CDA9D084E8EB7E3136FE,SHA256=4B00107E9D014CCA9A8688EC3D44B08D9AF4D0FC8C757A9E1559FF8303EF57B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:37.331{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D76ABB77C4DEB68F3C63C9A7219AA83C,SHA256=F994A34F45EA28706A747BB330D60802DC68DFA90E8DF63E03B3EBC3771A1548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:38.723{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DAA6F59A68A0ACF0D312025826A042F,SHA256=8EBE41D4A1B50747954048858A7BB6EA8F1E4D4E89F15D835438EB3B999C4C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:38.362{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26EF46E5D3E11AFD5C2E3DF3EA2BDDDD,SHA256=4F3AFCBBAE7A94626199B04F161F8C7B06947ACF9D07855B36FAEEBD138F52D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:38.237{DCBFC465-204C-6227-9D00-000000003702}32923480C:\Windows\system32\conhost.exe{DCBFC465-3012-6227-A305-000000003702}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:38.237{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:38.237{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:38.237{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:38.237{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:38.237{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:38.237{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:38.237{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:38.237{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:38.237{DCBFC465-1FDF-6227-0C00-000000003702}7082168C:\Windows\system32\svchost.exe{DCBFC465-1FE1-6227-1D00-000000003702}1892C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:38.237{DCBFC465-1FDD-6227-0500-000000003702}404420C:\Windows\system32\csrss.exe{DCBFC465-3012-6227-A305-000000003702}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:38.237{DCBFC465-204C-6227-9900-000000003702}30483280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DCBFC465-3012-6227-A305-000000003702}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:38.238{DCBFC465-3012-6227-A305-000000003702}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DCBFC465-1FDE-6227-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:39.738{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84EF05535795B9FCDFB0EAA60B84F180,SHA256=148E558B3FF7B90D4903AB1D314B464E33E13AB8BE7733A2A2FEF9ED5BA6EE75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:39.378{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C5BC38BE2D4BCFE340B2C161BEFA34,SHA256=8B236E81C0407636711AE8A5F2DABE8FB43C78901ADB43A1EF0C4FCAF804641B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:35.738{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51204-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:39.237{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89124ACF50A32BD5AFA2A8ED403F5302,SHA256=C3D08BE6150FABD22CC95DA034C5E87486CA8AAB289B05E7E7998A312935750C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:40.394{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FFED018BA5FD5C3D3A7FF60A1152A58,SHA256=4A49F86A64E67D3E138D8988CFCA5B8D02AD18AF8C94BB534E52663C4826F2F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:40.755{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F32EBEE9B35DDFFB7E522E82A46CFB0,SHA256=9F4CD3EE66AE4CE6AD0B572844765FC0211BB8FE4DFE3678B4F7035BD84D0682,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:38.477{DCBFC465-2057-6227-C700-000000003702}2764C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50502-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000019802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:41.534{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62436341BE67FB58EA7937C5368E1CBE,SHA256=7508D9548D255CF5A88297E445DFCB65C3903500E43EF232E71319F698B74B71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:41.761{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9A1657622E45DEC9915A1EA1195A5B5,SHA256=FB60E63F0007EDD43A55C1D019834CCC55A51A4EFD48BB879E6D01734A744F91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:42.792{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0539976450EBB909F60B3C750791F33D,SHA256=9F0CAD122B66231AE53EEA335DCD050762EE1785AE3C52A1AE4DA41DA0880C0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:42.534{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=553239E8B0671DC03662282DC44A785B,SHA256=9C01594ECE5ABCB7D611547C80CFB2D42389219E5ECD35783D189C1811A013C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:43.839{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27ECFDC89C89D6AB176EF08E57E4F811,SHA256=A10C11BBA89FFD731C62803F2BCBA27E15FD52939DE0F059BF3335F6E1607560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:43.534{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70DAD97B3B6175386E19CCACBD67D2AA,SHA256=98815B23093DD3869CBA605D4DAF9D811C59C769E18C7B33F486C6A09B2B1CB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:41.606{C64CDE3E-1D02-6227-6E00-000000003602}3608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-462.attackrange.local51205-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000037822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-462.attackrange.local-2022-03-08 10:29:44.859{C64CDE3E-1D0A-6227-7C00-000000003602}2428NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B98DF1E94F08BDBF5E8811B10636EB,SHA256=FCBD8E18BAF68EC34B0AAFD9884E2258C09873BF11522DDBAD80B995645B9357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:44.534{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8828A6E8B47496F8543A9C4E7F1B67BD,SHA256=61F034EA6D51EBBB8C03447979D2739C6B972A28A6DBD46D41FAB3B05FC216A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:44.409{DCBFC465-204C-6227-9900-000000003702}3048NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=3876A38BBEFCA90FF3CEDFEA240824F7,SHA256=1B0B546F5DF79768DBDD8B3924CC7FF13A208BFBDDD31484568BAA5945CCF5CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:43.649{DCBFC465-204C-6227-9900-000000003702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-179.eu-central-1.compute.internal50503-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000019808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-179-2022-03-08 10:29:45.534{DCBFC465-205C-6227-D300-000000003702}3628NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B942A999A98D56E11EDA2365B0F0EDB,SHA256=9C6EA62390C17325DE16E67AC6C24416235624020D452DB3D61EF888286BF370,IMPHASH=00000000000000000000000000000000falsetrue